F-Secure
Tools
Worm:VBS/AutoRun.B
Summary
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Worm:VBS/AutoRun.B is a worm that spreads by copying itself to local hard drives, network drives, and removable drives.
It has no other functionality.
Propagation
The worm contains four files:
The first file is the worm's Visual Basic Script file.
The autorun.inf file causes the __.vbs file to be executed when an infected drive is accessed with a computer that has autorun enabled on the drive in question.
The script copies all four files to the root of local hard drives, network drives, and removable drives not labeled A:\ or B:\. The four files are also copied under %windir%\system32.
Execution
The _.reg and _.bat files are detected as Trojan.Win32.Zapchast.ee.
If the script isn't being run from the %windir%\system32 location and therefore hasn't yet been installed, it executes the __.bat file.
The batch file (__.bat) installs the worm by creating the following registry entry to execute itself each time the computer is started:
The batch file can make the registry changes by adding the contents of __.reg in to the registry. If the __.bat file was executed by the registry entry, it then runs the script file.
The batch file also sets the file attributes for all four files to hidden, system, read-only and archive.
The worm also tries to alter this registry entry:
This alteration is an attempt to make hidden files invisible in Windows Explorer.
It has no other functionality.
Propagation
The worm contains four files:
- __.vbs
- __.reg
- __.bat
- autorun.inf
The first file is the worm's Visual Basic Script file.
The autorun.inf file causes the __.vbs file to be executed when an infected drive is accessed with a computer that has autorun enabled on the drive in question.
The script copies all four files to the root of local hard drives, network drives, and removable drives not labeled A:\ or B:\. The four files are also copied under %windir%\system32.
Execution
The _.reg and _.bat files are detected as Trojan.Win32.Zapchast.ee.
If the script isn't being run from the %windir%\system32 location and therefore hasn't yet been installed, it executes the __.bat file.
The batch file (__.bat) installs the worm by creating the following registry entry to execute itself each time the computer is started:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit = userinit.exe,__.bat
The batch file can make the registry changes by adding the contents of __.reg in to the registry. If the __.bat file was executed by the registry entry, it then runs the script file.
The batch file also sets the file attributes for all four files to hidden, system, read-only and archive.
The worm also tries to alter this registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
This alteration is an attempt to make hidden files invisible in Windows Explorer.