Home / malware Win32.Vbs.Agent.E
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Vbs.Agent.E.
Explanation :
on first run
it generates a new code form of his own in which functions are randomly located in file
then copies itself in %systemroot%system32{UserName}.vbs
and starts to infect files with .hta .html .htm .asp and .vbs extension
infected files will contain the virus body at the beginning of them
anytime an infected file will be opened virus will run too
virus will infect up to 1000 files of a maximum size of 350000 bytes
it modifies registry values:
sets value of "HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad"
to {path to .vbs}
where {path to .vbs} is "%systemroot%system32{UserName}.vbs
and {UserName} is the name of the username from the infected computer
sets values of "HKLMSoftwareClasses xtfileshellopencommand{Default}"
"HKLMSoftwareClasses
egfileshellopencommand{Default}"
"HKLMSoftwareClasseschm.fileshellopencommand{Default}"
"HKLMSoftwareClasseshlpfileshellopencommand{Default}"
to "%systemroot%system32wscript.exe {path to .vbs} %1 %*"
all those to be sure will get executed most of the time
sets value of "HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoDriveTypeAutoRun"
to 0x81
and value of
"HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedFolderHiddenSHOWALLCheckedValue"
to 0 hiding his files from user by disabling viewing files with hidden attribute
searches for any local or removable drive to copy there two files:
a copy of itself as {UserName}.vbs
and autorun.inf
it will periodicly check if any of the following processes is running:
ras.exe , 360tray.exe, taskmgr.exe, cmd.exe, cmd.com, regedit.exe, regedit.scr, regedit.pif, regedit.com, msconfig.exe, SREng.exe, USBAntiVir.exe
and if it finds any will try to kill it
it also checks for filenames containing predefined strings related to adult videos to delete them as a payload; those file extension are: .mpg, .rmvb, .avi, .rmLast update 21 November 2011
