|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Worm:VBS/AutoRun.B
|
|
|
| Radar |
 |
|
|
|
Summary
|
Worm:VBS/AutoRun.B is a worm that spreads by copying itself to local hard drives, network drives, and removable drives.
It has no other functionality. |
|
|
|
Detailed Description
|
The Visual Basic Script file of the worm is called __.vbs. In addition to the Visual Basic Script file the malware consists of three other files:
- __.reg
- __.bat
- autorun.inf
The first two files are detected as Trojan.Win32.Zapchast.ee.
The autorun.inf causes the __.vbs file to be executed when an infected drive is accessed with a computer that has autorun enabled on the drive in question.
The script copies all four files to the root of local hard drives, network drives, and removable drives not labeled A:\ or B:\. The four files are also copied under %windir%\system32. The script file then executes __.bat if the script isn't being run from under %windir%\system32 and therefore hasn't yet been installed.
The batch file (__.bat) installs the worm by creating the following registry entry that executes __.bat every time the computer is started:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = userinit.exe,__.bat
The worm also tries to alter the registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
This alteration is an attempt to make hidden files invisible in Windows Explorer.
The batch file makes the registry changes by adding the contents of __.reg in to the registry. The batch file then runs the script file if __.bat was executed by the registry entry. The batch file also sets the file attributes for all four files to hidden, system, read-only and archive. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: March 10, 2008
|
|
|
|
|
