For Home

Virus Profile: VBS/Autorun.worm.k

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/13/2007
Date Added: 7/13/2007
Origin: N/A
Length: varies
Type: Virus
Subtype: Worm
DAT Required: 7020
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of previously mentioned files

Methods of Infection

---------Updated on May 21, 2013-------

This worm may be spread by its intented method of infected removable drives. Alternatively this may be installed by visiting a malicious web page (either by clicking on a link), or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.

---------Updated on May 15, 2012-------

The autorun worm spreads itself through USB drives.

   

Virus Characteristics

---------Updated on May 21, 2013-------

Aliases –

  • ESET-NOD32    -     VBS/Agent.NGB
  • Kaspersky         -     Worm.VBS.Agent.bu
  • Microsoft            -     Worm:VBS/Jenxcus.A

Characteristics

VBS/Autorun.worm.k” is a worm that spreads by copying itself to drives connected to the system.

Upon execution the worn connects to the following URL through the remote port: 7777

  • a.serve[Removed]strike.com
  • 133.125. [Removed].37


The following files have been added to the system.

  • %Temp%\Updatea.vbs
  • %Userprofile%\Start Menu\Programs\Startup\Updatea.vbs


Upon execution it copies itself to the following location:

  • : [RemovableDrive]\Updatea.vbs

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updatea.vbs: ""%Temp%\Updatea.vbs ""
  • HKEY_USER\S-1-[Varies]\MaReDHaCkeR: "n"


The above registry entries confirm that the Worm tries to execute itself upon  system boot.

---------Updated on May 15, 2012-------

Aliases -

  • AntiVir - VBS/Autorun.AQ
  • Kaspersky - Worm.VBS.Autorun.gj
  • Microsoft - Worm:VBS/VBSWG.gen
  • NOD32 - VBS/AutoRun.FW


VBS/Autorun.worm.k is a worm that spreads by copying itself to system and removable drives.

Upon execution the worm copies itself to the below mentioned locations.

  • %Windir%\system32\Thumbs.vbs
  • %Windir%\Thumbs.vbs
  • %systemdrive%\Thumbs.vbs

And drop the following file.

  • %systemdrive%\autorun.inf

Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Trojan file via the following command syntax.

  • [AUTORUN]
  • &Open=wscript.exe Thumbs.vbs
  • shell\open=Open
  • shell\open\Command=wscript.exe Thumbs.vbs
  • shell\Explore=&Explorer
  • shell\Explore\Command=Explorer.exe
  • shell\VBS.ALLYA.B\Command=wscript.exe Thumbs.vbs
  • shell\VBS.ALLYA.B\Default=1

The following registry key has been added to the system.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows Script Host\Settings

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions = 0x00000001
  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids\VBSFile:

Trojan disables command run by adding the following values to the registry key.

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = 0x00000001

The following registry value ensures that, the Trojan registers run entry with the compromised system and execute itself upon every boot.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\AVCTRL32 = "wscript.exe %Windir%\Thumbs.vbs"

The following registry values have been modified to the system.

  • HKEY_LOCAL_MACHINE\Software\Classes\VBSFile\ = "Data Base File"
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Scripting Host\Script Extensions\.VBS\ = "Data Base File"

The following registry ensures that, the Trojan hides files and file extensions

  • HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0x00000000

[Note: C:\WINDOWS is %Windir%]

---------Updated on January 12, 2012-------

File Information

  • MD5  -  7458A5CA9E58C08D57D2F0779DCB0E57
  • SHA  - 5309ebbb289dee829b890a9087a84371d347430d

Upon execution, the following registry entries is added to allow the malware to restart upon reboot:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Data: %WinDir%\system32\userinit.exe,%WinDir%\system32\wscript.exe //e:vbscript.encode %RootDir%:\:\%WinDir%\system32\drivers\alice.sys


VBS/Autorun.worm.k will drop the following files:

  • %RootDir%\Alice.alc
  • %RootDir%\Autorun.inf
  • %UserDir%\Templates\winword.vbe
  • %UserDir%\Templates\winword2.vbe
  • %WinDir%\System32\Alice.sys

The autorun.inf file contains the following code:

[autorun]
shellexecute=wscript.exe //e:vbscript.encode alice.alc
shell\open\command=wscript.exe //e:vbscript.encode alice.alc
shell\explore\command=wscript.exe //e:vbscript.encode alice.alc


The malware will attempt inject malicious VB code into existing HTML files. Vbs/autorun.worm.k will also create a new VB files in directories with existing .doc files. The malware will name the newVB file the same as current documents and then hide the original file.

---------Updated on July 01, 2011-------

File Information

  • MD5  -  14BBD7B5B924B598A7655C6211BF19A8
  • SHA  - 27D11C934AD2CD8F673603B4CACEF87AEFF09DA1

Aliases

  • Kaspersky - Worm.VBS.Autorun.gj
  • NOD32 - VBS/AutoRun.FW
  • Symantec - Bloodhound.VBS.4
  • Microsoft - Worm:VBS/VBSWG.gen

When executed it copies itself into the following location:

  • %Windir%\system32\Thumbs.vbs
  • %Windir%\Thumbs.vbs
  • %Systemdrive%\Thumbs.vbs

And drop the following files:

  • %Systemdrive%\autorun.inf

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [AUTORUN]
  • &Open=wscript.exe Thumbs.vbs
  • shell\open=Open
  • shell\open\Command=wscript.exe Thumbs.vbs
  • shell\Explore=&Explorer
  • shell\Explore\Command=Explorer.exe
  • shell\VBS.ALLYA.B\Command=wscript.exe Thumbs.vbs
  • shell\VBS.ALLYA.B\Default=1
  • [ABOUT]
  • VBSName=VBS.ALLYA
  • VBSVersion=ENCRYPTED.B-2009
  • VBSAUTHOR=Iwing/Indovirus
  • VBSNOTE=Viva Indovirus - Coba Decoded dan Pelajari ya.. :p
  • '923

The following registry key has been added to the system.

  • HKEY_CURRENT_USER\S-1-5-(varies)\Software\Microsoft\Windows Script Host
  • HKEY_CURRENT_USER\S-1-5-(varies)\Software\Microsoft\Windows Script Host\Settings

The following registry value has been added.

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
    “AVCTRL32” = "wscript.exe c:\windows\system32\Thumbs.vbs"

The above mentioned registry ensures that the Trojan registers with the compromised system and execute upon every reboot.

  • [HKEY_CURRENT_USER\S-1-5-(varies)\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\]
    “NoRun” = “0x00000001”

Trojan disables command run by adding the above mentioned values to the registry key.

----------------------------------------------------------------------------

-------- Updated on Jun 21, 2011 ---------

File Information -

  • MD5 - 58B74273D47FD40B38A0433EF22D4D83
  • SHA - 10F50759411F2EE921B321E6122E6BA501217661

Aliases -

  • Avg - VBS/Worm
  • NOD32 - VBS/Butsur.L
  • Symantec - VBS.Runauto
  • Microsoft - Worm:VBS/Autorun.AG

"VBS/Autorun.worm.k" is an VBS autorun worm that spreads through USB drives.

Upon execution the Trojan change Internet Explorer Start Page to point the following URL.

  • www.goo[removed]uk

And also drops autorun.inf file into the root of all removable drivers and mapped drives in an attempt to autorun an executable when the drive is accesed.

The file "AutoRun.inf" is pointing to the malware binary executable. When the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

  • [autorun]
  • shellexecute = wscript.exe jxk1o4mpf7l1hqkbgy506l7gkb06yy9d1ita7bn5csat.vbs

The following Values have been modified to the system.

  •  [HKEY_USERS\S-1-5-[varies]\Software\Microsoft\Internet Explorer\Main]
     Start Page = "www.goo[removed]uk"

--------------------------------------

This is an VBS autorun worm that spreads through USB drives.

It spreads itself under the following known filenames:

  • ntidr.vbs
  • Radz_Services.vbs
  • SysRes.vbs

It will change Internet Explorer Start Page to point the following URL:

  • www.radzservices.[removed].com

It will add or modify the following registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\leakHelpString

It will also create a registry run key to run itself at system startup.

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).