Virus Profile: VBS/Autorun.worm.au

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 11/29/2007
Date Added: 11/29/2007
Origin: N/A
Length: N/A
Type: Virus
Subtype: Worm
DAT Required: 5174
Removal Instructions
   
 
 
   

Description

VBS/Autorun.worm.au is an autorun worm written in the Visual Basic Script programming language.

Indication of Infection

  • wscript process running without having been invoked
  • presence of files '.vbe and '.ini in the system folder
  • presence of the file '.vbe in the windows folder
  • presence of files '.vbs and '.ini in the root of available drives
  • error messages coming from wscript complaining about the invalid filenames

Methods of Infection

Executing the malicious visual basic script will initiate the infection. In addition to this, accessing a drive that has been infected by the script with the autorun feature on will infect the local machine.
   

Virus Characteristics

When started, the malicious script will first thing proceed in decrypting itself. After this operation has been done, the actual malicious behaviour is started.

The malware will then proceed in copying itself both in the windows and system folder, as '.vbe. On the machine used for the analysis, the malware copied itself as:

   c:\windows\'.vbe

   c:\windows\system32\'.vbe

After the copying operation has been performed, the malware will set the following registry value to make sure it gets executed when the machine next boots up:

   HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\explorer:'.vbe

Next, the malware will proceed in modifying the following registry values in order to bypass firewalls:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
   HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet

The malware will then try to spawn the copy of itself located in the system folder. However, due to the naming selected for the file, the operation will fail. After this, the malware will proceed in hiding its own files from the system's user, by modifying the following registry value:

   HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

and will create the file '.ini in the system folder.Such file is an autorun file that will force the execution of the script. In addition to this, the malware will copy both the '.ini and '.vbs files in the root of available drives.

   

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer"
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.

   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95