|
|
|  |
|
|
|
|
F-Secure Malware Information Pages: Worm:VBS/HeadTail.A
|
|
|
| Radar |
 |
|
|
|
Summary
|
This Visual Basic Script worm propagates by copying itself to available removable, fixed, and remote drives; creating an autorun.ini script to enable its execution.
Whenever the specified drive is accessed in the systems with Drive Type Autorun Enabled settings, the malware will automatically execute itself. |
|
|
|
Detailed Description
|
Upon execution, this malware will infect and create a malware copy to available removable, fixed, and remote drives. It then creates its autorun registry entry in :
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
As a way to infect more files and enable its execution further, it modifies the file association of the following file types to execute the malware first:
Using the System and Hidden file properties, it aims to hide from the user by setting the registry to disable viewing of files with such attributes.
It will then search for HTA, HTM, HTML, ASP and VBS files whose file size is less than 350000 Bytes to infect in removable, fixed, and remote drives. As part of the malware's restrictions in terms of infection, the malware will infect no more than 1000 files that is found on single execution.
For payload, It will check the filename and if it contains predefined strings supposedly related to adult videos, it will delete the file.The file formats are as below:
It will also monitor and ensure that the following processes are terminated :
- 360tray.exe
- cmd.com
- cmd.exe
- msconfig.exe
- ras.exe
- regedit.com
- regedit.exe
- regedit.pif
- regedit.scr
- SREng.exe
- taskmgr.exe
- USBAntiVir.exe
One thing worth mentioning is that depending on the parameters, the malware is capable of removing all system modifications and deleting all its copies. It can also disinfect all infected files accessible in the system. |
|
|
|
F-Secure Corporation |
|
|
|
|
|
Last Modified: January 02, 2008
|
|
|
|
|
