Home / malwarePDF  

VBS.Worm.Runauto.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for VBS.Worm.Runauto.A.

Explanation :

Upon execution the malware changes the attributes of the file to "Read Only" and "Hidden" . This way the user can't see it anymore. After it makes copies of itself into these locations : %system32%.vbe , %windows%.vbe [ the path are relative to the ones where the user has installed the operating system ]

Creates these registry keys :
"HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun" with the value of the {Computer name} that leads to this file "%windows%system32.vbe". This is done so the virus is executed at startup.
[HKEY_LOCAL_MACHINESOFTWARE{Computer name}]
"til"="UC" [looks like a signature of the virus]
"tjs"="708"
"djs"="{Date of Infection}"
"ded"="0"
"osw"="4"
It copies onto removable storages and executes itself trough an "autorun.inf" file.

Last update 21 November 2011

 

TOP