Worm:VBS/Agent

Classification

Category :

Malware

Type :

Worm

Aliases :

Trojan.Autorun, Trojan.VBS.Autorun, Trojan.VBS., Trojan.Autorun., VBS.Worm.Polyrun.Gen, VBS.Worm.Runauto.F

Summary

Worm:VBS/Agent copies itself to various locations on the infected machine and modifies the registry to redirect various user actions into unwittingly executing the worm copies.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Note: disinfection will remove the malicious VBS files (including files detected in the Alternate Data Stream) but will not repair system damage inflicted by the malware.

Caution: Manual disinfection is recommended only for advanced users.

  • 1. Run a full computer scan and clean all the threats
  • 2. Press Start -> Run -> typeregedit
  • Open HKLM\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell
- Delete registry key explore and open
  • 3. Press Start -> Run -> type
  • cmd cd \ del *.lnk
     
  • Repeat for other drives, if any.
  • - Unhide windows folders attrib -s -h Windows attrib -s -h "Program Files" attrib -s -h "Documents and Settings" Run attrib -s -h for other necessary files and folders set as system and hidden.
     
  • 4. In regedit, replace these values with their originals:
  • From: 
    HKLM\SOFTWARE\Classes\regfile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\regfile\shell\open\command\: 
    "regedit.exe "%1"" 				
     From: 
     HKLM\SOFTWARE\Classes\batfile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\batfile\shell\open\command\: 
    ""%1" %*" 				
     From: 
    HKLM\SOFTWARE\Classes\chm.file\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\chm.file\shell\open\command\: 
    ""C:\WINDOWS\hh.exe" %1" 				
     From: 
    HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\cmdfile\shell\open\command\: 
    ""%1" %*"
    From: 
    HKLM\SOFTWARE\Classes\hlpfile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\hlpfile\shell\open\command\: 
    "%SystemRoot%\System32\winhlp32.exe %1"
    From: 
    HKLM\SOFTWARE\Classes\inffile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\inffile\shell\open\command\: 
    "%SystemRoot%\System32\NOTEPAD.EXE %1"
    From: 
    HKLM\SOFTWARE\Classes\inifile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\inifile\shell\open\command\: 
    "%SystemRoot%\System32\NOTEPAD.EXE %1"
    From: 
    HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" %1 %* " To:
    
    HKLM\SOFTWARE\Classes\txtfile\shell\open\command\: 
    "%SystemRoot%\system32\NOTEPAD.EXE %1"
    From: 
    HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:[numbers].vbs" OIE " To:
    
    HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\: 
    ""C:\Program Files\Internet Explorer\iexplore.exe" %1"
    From: 
    HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: 
    "%SystemRoot%\System32\WScript.exe "C:\WINDOWS\explorer.exe:1212864906.vbs" OIE " To: 
    HKLM\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\: 
    ""C:\Program Files\Internet Explorer\iexplore.exe""
    
    From: 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue: 0x00000003 To: 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN\CheckedValue: 0x00000002
    From: 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000002 
    To: 
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000001
     
  • 5. Remove the autorun:
  • HKU\S-1-5-21-1390067357-1275210071-839522115-1004\Software\Microsoft\Windows NT\CurrentVersion\Windows\load: 
    ""C:\WINDOWS\system32\smss.exe:1212864906.vbs""
     

    A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

    • Check for the latest database updates

      First check if your F-Secure security program is using the latest updates, then try scanning the file again.

    • Submit a sample

      After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

      Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

    • Exclude a file from further scanning

      If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

      Note: You need administrative rights to change the settings.

    Technical Details

    The suspect file is written in Visual Basic Script (and may also be detected as Trojan.VBS.Autorun.[variant]). Infection is triggered by executing the file with wscript:

    • Wscript [filename].vbs "AutoRun"

    Activity

    Upon execution, the malware will attempt to perform the following actions:

    • Create an autorun.inf file (also detected as Trojan.Autorun.[variant]) on the root directory of each drive
    • Create a VBS file (using a variable filename) on the root directory of each drive
    • Hide all folders on the root drive and create visible shortcuts to the hidden files
    • use Alternate Data Stream to create a copy of itself to explorer.exe and smss.exe, using the following filenames:
      • explorer.exe:[number].vbs
      • smss.exe:[number].vbs
      • Where [number] is a random number string
    • Use the registry to launch smss.exe:[number].vbs
    • Modify the registry to redirect various 'file open' actions (txt, My Computer, shortcuts, etc) to launch explorer.exe:[number].vbs