Home / malware Win32.Worm.VBS.J
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.VBS.J.
Explanation :
This is a VBS (Visual Basic Script) that comes encrypted with a trivial algorithm:
for i = 1 to len(vbss) DVBS = DVBS & Chr(Asc(Mid(vbss, i, 1)) - 1)
The only purpose of the raw script is to decrypt its rest of the body and execute it. After decryption, the script will perform the following actions:
- modify DisplayLogo and Timeout settings of the Windows Script Host
- add the following registry keys:
HKEY_CLASSES_ROOTexefileshellScan for virus,scommand with the value %windir%system32wscript.exe /E:vbs "%windir%system32
egedit.sys"
HKEY_CLASSES_ROOTexefileshellOpen applicationcommand with the value %windir%win.exe
where %windows%system32
egedit.sys is a copy of the worm. By adding these keys, it actually adds 2 new options to the explorer's contextual menu: "Scan for virus,s" and "Open applications". By right-clicking an exe-file and selecting one of these options, a user would actually run the worm (%system%
egedit.sys) or win.exe (which will be discused later).
- will add several entries of the following type:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options!HIJACKED_APP!Debugger with value: %windir%system32wscript.exe /E:vbs "%windir%system32
egedit.sys"
where !HIJACKED_APP! will be the following applications: drwtsn32.exe, taskmgr.exe, regedit.exe, rstrui.exe
and
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options!HIJACKED_APP!Debugger with value %windir%win.exe
where !HIAJCKED_APP! will contain security-software applications, screen-savers and other commercial applications (182 entries). This way, anytime one of these programs would be ran, the malicious script (%system%
egedit.sys) or %windir%win.exe would get executed instead.
- remove the following registry entries:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunlnternet
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunwinboot
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMS32DLL
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunMessengerPlus
- create autorun.inf file on every accesible drive (in order to be executed anytime one of those drives is accesed)
- open in Explorer.exe the path where the original worm-file is located (the directory it was executed in)
- drop and execute in %windir% another file: win.exe, which is a Backdoor and is already detected by BitDefender
- modify the registry keys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit setting its value to %windir%system32userinit.exe,wscript.exe /E:vbs %windir%system32
egedit.sys
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunCTFMON setting its value to %windir%win.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Script HostSettingsEnabled, by setting its value to 1 and making sure that scripting is not disabled.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLCheckedValue by setting its value to 0 and making sure that hidden files and folders won't be displayed by Explorer
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedSuperHidden, by setting its value to 1
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden by setting its value to 0
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHideFileExt by setting its value to 1, in order to make file extensions invisible under Explorer
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedHidden, by setting its value to 0
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun by setting its value to 0, in order to activate autorun on every drive
Note: %windir% is a variable that refers to the Windows directory (usually C:Windows)%system% is a variable that refers to the system folder (usually C:WindowsSystem32)Last update 21 November 2011