Home / malwarePDF  

Worm:VBS/Eneg.A


First posted on 25 October 2013.
Source: Microsoft

Aliases :

There are no other names known for Worm:VBS/Eneg.A.

Explanation :

Threat behavior

Installation

Worm:VBS/Eneg.A can be installed to the following files on your PC:

  • <startup folder> \Windows Media Player.vbe
  • %APPDATA% \Windows Update\wxz.exe


Spreads via

Removable drives

This threat creates a copy of itself as a hidden file called Microsoft.exe on removable drives, such as USB flash drives.

It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.

This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.

Payload

Allows backdoor access and control

The worm adds the following administrator account to allow backdoor access to your PC to download other malware:

  • User Name: NTUSER
  • Password: ntpassword


It then opens a remote desktop service to allow a remote hacker to connect to your PC.

Downloads files

This worm downloads the following malicious files to your PC:

  • killerav.x10.mx/system.bat to %APPDATA%\Windows Update\system.bat to stop your security software from running
  • mylogs.x10.mx/system.exe to %APPDATA%\Windows Update\system.exe
  • wbot.hebergratuit.com/update.jpg to %APPDATA%\Microsoft\SYSTEM\update.exe
  • welc0me.x10.mx/explorer.exe to%APPDATA%\Microsoft\SYSTEM\explorer.exe


Deletes user information

Worm:VBS/Eneg.A deletes all user data, including profiles, cookies, and history from the following web browsers:

  • Chrome
  • Firefox
  • Internet Explorer
  • Opera
  • Thunderbird


It also deletes your profile data from Skype.

The worm also turns of User Account Control (UAC).

Additional information

The worm sets HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden with value "2" to hide its files on removable drives.

It only spreads in French-language-based PCs.



Analysis by Zhitao Zhou

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    <startup folder>\Windows Media Player.vbe
    %APPDATA%\Windows Update\wxz.exe

  • Your security software isn't running correctly

Last update 25 October 2013

 

TOP

Malware :

Family: