Home / malware

PDF

Worm:VBS/Serverons.A

First posted on 16 May 2013.
Source: Microsoft

Aliases :

There are no other names known for Worm:VBS/Serverons.A.

Explanation :

Installation

Worm:VBS/Serverons.A copies itself as help.vbs to the %TEMP% folder.

The worm also modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: help.vbs
With data: <location and file name of the worm>, for example %TEMP%\help.vbs

Spreads via...

Removable drives

Worm:VBS/Serverons.A may create the following copy of itself on targeted removable drives when spreading:

<removable drive>:\\help.vbs

The worm hides all existing shortcut files (.lnk) on the removable drive, and then creates its own shortcut file (help.lnk), which, when opened, will run the copy of the worm on the drive.

It does this in an attempt to lure or trick you into opening the file, thinking it is a legitimate help file.



Payload

Steals computer information

The worm collects the following information about your computer:

• Your user name
• The computer's name
• What version or edition of Windows you have on your computer

It sends this information to veros.adult<removed>.net on TCP port 99.

Additional information

When run, the worm modifies the registry key HKCU\updatee. It sets the value as "y" if the worm's file name is help.vbs; otherwise it sets the value as "n". It may do this to track whether the file name has been changed or not.



Analysis by Jeong Mun

Last update 16 May 2013

 

TOP