Home / malwarePDF  

Worm:VBS/Autorun.BG


First posted on 13 August 2010.
Source: SecurityHome

Aliases :

Worm:VBS/Autorun.BG is also known as VBS/AutoRun.AM (Authentium (Command)), Worm.VBS.Autorun.hu (Kaspersky), W32/Autorun-AWI (Sophos), VBS.Runauto (Symantec).

Explanation :

Worm:VBS/Autorun.BG is a worm that spreads via fixed, removable and network drives, and RAM disks. It changes the user€™s Internet Explorer start page, and attempts to enable Autorun functionality on all drives of the computer. In certain situations it may also attempt to shut down the computer.
Top

Worm:VBS/Autorun.BG is a worm that spreads via fixed, removable and network drives, and RAM disks. It changes the user€™s Internet Explorer start page, and attempts to enable Autorun functionality on all drives of the computer. In certain situations it may also attempt to shut down the computer. Installation When run, Worm:VBS/Autorun.BG creates the following files, some with the attributes "hidden", "system", and "read-only", in the root folder of all fixed drives:

  • ntv.vbs - copy of itself
  • autorun.inf - INF file designed to automatically run the worm copy when the drive is accessed and Autorun is enabled; detected as Worm:Win32/Autorun.BG!inf
  • Nude Teen Videos.lnk - only set as "read-only"; when opened by the user, it runs the worm copy
    • The LNK file may look like the following: When the worm copy is run, it opens a Windows Explorer window for the drive that it is run from. For example, if the worm copy is run from C:\, the Windows Explorer window opens to C:\. It writes other copies to the following locations:
  • <system folder>\dns_cache.vbs
  • <templates>\prn_share.vbs
    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. <templates> refers to any folder named "Templates", for example, %USERPROFILE%\Templates Worm:VBS/Autorun.BG creates the following registry entries to ensure that it is launched every time the computer starts: Adds value: "DnsCache" With data: "wscript.exe "<system folder>\dns_cache.vbs"" In key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "PrnShare" With data: "wscript.exe "<templates>\prn_share.vbs"" In key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run It also adds the following shortcut file:
  • <start menu>\DNS Cache.lnk - when opened, this shortcut file executes "dns_cache.vbs"
    • Note: <start menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'. This LNK file may look like the following: Worm:VBS/Autorun.BG also writes the following file:
  • <templates>\adblock.cfg
    • It checks for the existence of this file to prevent more than one copy from running at a time. Spreads via... Fixed, network, and removable drives When run, Worm:VBS/Autorun.BG creates the following files, some with the attributes "hidden", "system", and "read-only", in the root folder of all network and removable drives, and RAM disks:
  • ntv.vbs - copy of itself
  • autorun.inf - INF file designed to automatically run the worm copy when the drive is accessed and Autorun is enabled; detected as Worm:Win32/Autorun.BG!inf
  • Nude Teen Videos.lnk - only set as "read-only"; when opened by the user, it runs the worm copy
    • When the worm copy is run, it opens a Windows Explorer window for the drive that it is run from. For example, if the worm copy is run from Z:\, the Windows Explorer window opens to Z:\. Payload Monitors its presence in the computer Worm:VBS/Autorun.BG monitors whether either its original copy or the copy at "<system folder>\dns_cache.vbs" has been deleted. If one of these files has been deleted, it replaces it by making a copy of the remaining file. If both have been deleted, it attempts to shut down the system. Modifies browser start page Worm:VBS/Autorun.BG changes the user's Internet Explorer start page to "www.google.com" by making the following registry modification: Adds value: "Start Page" With data: "http://www.google.com/" In key: HKCU\Software\Microsoft\Internet Explorer\Main Changes Autorun settings Worm:VBS/Autorun.BG attempts to enable the Autorun functionality on all types of drives by making the following registry modification: Adds value: "NoDriveTypeAutoRun" With data: "0" In key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    Analysis by David Wood

    Last update 13 August 2010

     

    TOP

    Malware :

    Family: