Home / malware Worm:VBS/Autorun.BE
First posted on 06 August 2010.
Source: SecurityHomeAliases :
Worm:VBS/Autorun.BE is also known as VBS/SillyAutorunScript.GG (CA), VBS/Butsur.B (ESET), Worm.VBS.Agent.at (Kaspersky), VBS/Autorun.worm.k (McAfee), VBS/Worm.F (Norman), VBSAgent.NRG (Panda), Mal/VBSlog-A (Sophos), VBS.Runauto (Symantec), VBS_AUTORUN.NAA (Trend Micro).
Explanation :
Worm:VBS/Autorun.BE is a worm that spreads to all writable drives, lowers Windows security and downloads an arbitrary file from a predefined URL, for example "menad26.ifrance.com".
Top
Worm:VBS/Autorun.BE is a VBScript worm that spreads to all writable drives, lowers Windows security and downloads an arbitrary file from a predefined URL, for example "menad26.ifrance.com". InstallationWhen Worm:VBS/Autorun.BE runs, it copies itself as the following:<system folder>\imwin.jpg Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. In addition, Worm:VBS/Autorun.BE modifies the system registry so that it runs when certain other security applications are requested such as "Process Explorer", "System Restore", "Task Manager" and so on. Adds value: "Debugger"With data: "<system folder>\wscript.exe /e:vbs <system folder>\imwin.jpg"To the following created subkeys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwinxp.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Spreads via€¦ Removable and shared drivesThe worm copies itself to each writable drive as "image.jpg". The worm then writes an autorun configuration file named "autorun.inf" pointing to "image.jpg". When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically. Payload Lowers Windows securityWorm:VBS/Autorun.BE makes a series of modifications to the Windows system registry that lower Windows security or change Windows behaviors.Changes the default icon for VBScript files to match Windows Media Player file types
Sets value: "(default)"
With data: "%ProgramFiles%\windowsupdate\wmplayer.exe,-120"
In subkey: HKLM\SOFTWARE\Classes\Vbsfile\DefaultIcon
Turns off setting System Restore check points when running a Windows installer application
Sets value: "LimitSystemRestoreCheckpointing"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Turns off System Restore
Sets value: "DisableSR"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
Changes the "friendly name" association of VBScript file types to a user-trusted file type
Sets value: "FriendlyTypeName"
With data: "mp3 audio"
In subkey: HKLM\SOFTWARE\Classes\VBSFile
Changes the "friendly name" association for MP3 audio files
Sets value: "FriendlyTypeName"
With data: "good songs"
In subkey: HKLM\SOFTWARE\Classes\mp3file
Stops the Windows Update and Windows Security Center services
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\ControlSet001\Services\wscsvc
Disables notifications from the Windows Security Center if antivirus software is not installed
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Optimizes the execution of Windows Scripting Host files
Sets value: "DisplayLogo"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows Script Host\Settings
Sets value: "DisplayLogo"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows Scripting Host\Settings
Enables the execution of Windows Script Host files
Sets value: "Enabled"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
Disables showing hidden files, even if this setting was previously enabled
Sets value: "CheckedValue"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Disables viewing of files with file attributes "hidden" and "system"
Sets value: "SuperHidden"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Enables Autorun (autoplay) mode to run "autorun.inf" scripts when connecting to drives or media Downloads an arbitrary fileWorm:VBS/Autorun.BE attempts to contact a predefined URL to download and execute an arbitrary file. This worm has been observed to retrieve a file "boum.jpg" from the domain "menad26.ifrance.com". The retrieved file is saved to the local drive as the following:
Sets value: "NoDriveTypeAutoRun"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer<system folder>\winxp.exe At the time of this writing, the retrieved file is identified as TrojanDownloader:Win32/Harnig.N. TrojanDownloader:Win32/Harnig is a trojan family that downloads and executes arbitrary files. This variant of Win32/Harnig was observed to download a rogue security scanner identified as Trojan:Win32/FakeSpypro. The registry is modified to run the dropped executable at Windows start, or when .EXE executable file types are run, or if a user right-clicks a file or folder and selects "Scan for viruses". Sets value: "regdiit"
With data: "<system folder>\winxp.exe"To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "(default)"With data: "<system folder>\winxp.exe"To subkey: HKLM\SOFTWARE\Classes\exefile\shell\Open application\command Sets value: "(default)"
With data: "<system folder>\wscript.exe /e:vbs <system folder>\imwin.jpg"In subkey: HKLM\SOFTWARE\Classes\exefile\shell\Scan for viruses\command
Analysis by Tim LiuLast update 06 August 2010
