Home / malwarePDF  

Worm:VBS/Autorun.BS


First posted on 03 October 2012.
Source: Microsoft

Aliases :

Worm:VBS/Autorun.BS is also known as VBS.Autoruner.10 (Dr.Web), VBS.Runauto.B (Symantec), VBS/AutoRun.DM (Avira), VBS/Azoog.worm (McAfee), VBS/Naiad.R (ESET).

Explanation :



Worm:VBS/Autorun.BS is a worm that spreads by dropping copies of itself onto network and removable drives. It also modifies system security settings.



Installation

Worm:VBS/Autorun.BS copies the following files to the <system folder> folder:

  • `.vbe - copy of the worm
  • aini.ini - copy of the worm
  • autorun.inf - copy of the "autorun.inf" file that is used to assist the spreading behavior


Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\WinNT\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

The worm also modifies the following registry entry to ensure its copy runs at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run\
Sets value: "explorer"
With data: "`.vbe"

Spreads via...

Removable and network drives

Worm:VBS/Autorun.BS attempts to spread by copying itself to the root directory of all removable and network drives, except drives A: and B:.

It also places an "autorun.inf" file in the root directory of the targeted drive, which is detected as Worm:VBS/Autorun.R!inf.

Such "autorun.inf" files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.

Note: This worm was observed to write an executable and create an "autorun.inf" file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally used to spread malware from computer to computer.

It should be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.



Payload

Contacts remote host

Worm:VBS/Autorun.BS may contact a remote host at "hxxp://hgz.dinghui123.cn/home.asp" via TCP port 80.

The worm attempts to download a configuration file from the remote host to the %TEMP% folder with the file name "temp.txt".

Note: %TEMP% refers to a variable location that is determined by the malware by querying the operating system. The default location for the All Users Profile folder for Windows 2000, XP, and 2003 is "C:\DOCUME~1\<user>\LOCALS~1\Temp". For Windows Vista and 7, the default location is "C:\Users\<user name>\AppData\Local\Temp".

This configuration file may contain instructions for the worm to download additional malicious components.

Modifies system security settings

The worm modifies the following registry entry to prevent the display of hidden files in Windows Explorer:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Sets value: "ShowSuperHidden"
With data: "00000000"Related encyclopedia entries

Worm:VBS/Autorun.R!inf



Analysis by Jireh Sanico

Last update 03 October 2012

 

TOP