First posted on 28 December 2007.
Source: SecurityHome
Worm:VBS/HeadTail.A is also known as Worm.Vbs.HeadTail.a.
This Visual Basic Script worm propagates by copying itself to available removable, fixed and remote drives and creating an autorun.ini script to enable its execution. Whenever the specified drive was accessed in the systems with Drive - Type - Autorun - Enabled settings, the malware will automatically execute itself..
Upon execution, this malware will infect and create a malware copy to available removable, fixed and remote drives. It then creates its autorun regsitry entry in :
HKEY_CURRENT_USERSoftWareMicrosoftWindows NTCurrentVersionWindowsLoad
As a way to infect more files and enable its execution further, it modifies the file association of the following file types to execute the malware first:
Using the System and Hidden file properties, it aims to hide from the user by setting the registry to disable viewing of files with Hidden and System attributes.
It will then search for hta, htm, html, asp and vbs files whose file size is less than 350000 Bytes to infect in removable, fixed and remote drives. As part of the malware's restrictions in terms of infection, the malware will infect no more than 1000 files that is found on single execution.
For payload, It will check the filename and if it contains predefined strings supposedly related to adult videos, it will delete the file.The file formats are as below:
It will also monitor and ensure that the following processes are terminated :
- "ras.exe"
- "360tray.exe"
- "taskmgr.exe"
- "cmd.exe"
- "cmd.com"
- "regedit.exe"
- "regedit.scr"
- "regedit.pif"
- "regedit.com"
- "msconfig.exe"
- "SREng.exe"
- "USBAntiVir.exe"
One thing worth mentioning, is that depending on the parameters, the malware is capable of removing all system modifications and deleting all its copies. It can also disinfect all infected files accessible in the system.
Last update 28 December 2007
TOP