Threat Description



Aliases:VBS/Autorun.worm.k, Virus.VBS.AutoRun.b, Type_vbs_autorun


A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details

Worm:VBS/AutoRun.B is a worm that spreads by copying itself to local hard drives, network drives, and removable drives. It has no other functionality.


The worm contains four files:

  • __.vbs
  • __.reg
  • __.bat
  • autorun.inf

The first file is the worm's Visual Basic Script file.

The autorun.inf file causes the __.vbs file to be executed when an infected drive is accessed with a computer that has autorun enabled on the drive in question.

The script copies all four files to the root of local hard drives, network drives, and removable drives not labeled A:\ or B:\. The four files are also copied under %windir%\system32.


The _.reg and _.bat files are detected as

If the script isn't being run from the %windir%\system32 location and therefore hasn't yet been installed, it executes the __.bat file.

The batch file (__.bat) installs the worm by creating the following registry entry to execute itself each time the computer is started:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit = userinit.exe,__.bat

The batch file can make the registry changes by adding the contents of __.reg in to the registry. If the __.bat file was executed by the registry entry, it then runs the script file.

The batch file also sets the file attributes for all four files to hidden, system, read-only and archive.

The worm also tries to alter this registry entry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden

This alteration is an attempt to make hidden files invisible in Windows Explorer.


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More