Home / malware Worm:VBS/Slogod.X
First posted on 18 August 2010.
Source: SecurityHomeAliases :
Worm:VBS/Slogod.X is also known as Worm.VBS.Autorun.fv (Kaspersky), Worm/AutoRun.GK (AVG), VBS/Autorun.ahn (Avira), VBS.Flesh.A (BitDefender), VBS/SillyAutorunScript.FK (CA), Worm.VBS.Autorun (Ikarus), VBS/Autorun.worm.k (McAfee), Mal/VBSlog-A (Sophos).
Explanation :
Worm:VBS/Slogod.X is a detection for an obfuscated VBScript file that spreads itself via removable drives. It is also known to drop additional malware. Worm:VBS/Slogod.X can also modify certain system security settings, Internet Explorer settings, and the icon displayed for MP3 files.
Top
Worm:VBS/Slogod.X is a detection for an obfuscated VBScript file that spreads itself via removable drives. It is also known to drop additional malware. Installation Worm:VBS/Slogod.X drops itself as the following file, with the "hidden", "system", and "archive" attributes: <system folder>\winjpg.jpg Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Worm:VBS/Slogod.X periodically modifies the following registry entries to ensure that it and its dropped file (see the Payload section below) automatically run whenever Windows starts: Adds value: "regdiit" With data: "<system folder>\win.exe" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "CTFMON" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Worm:VBS/Slogod.X modifies the following registry entries to enable itself and its dropped file to execute when EXE files are opened or as debuggers of various tools: Adds value: "Default" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKCR\exefile\shell\Scan for virus,s\command Adds value: "Default" With data: "<system folder>\win.exe" In subkey: HKCR\exefile\shell\Open application\command Adds value: "Debugger" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe Adds value: "Debugger" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Adds value: "Debugger" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Adds value: "Debugger" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Adds value: "Debugger" With data: "<system folder>\wscript.exe /E:vbs <system folder>\winjpg.jpg" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe Adds value: "Debugger" With data: "<system folder>\win.exe" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe Adds value: "Debugger" With data: "<system folder>\win.exe" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Spreads via... Removable drives Worm:VBS/Slogod.X spreads itself by periodically dropping the following files in all removable drives except for A:winfile.jpg - copy of itself; has "hidden", "read-only", "system", and "archive" attributes autorun.inf - INF file designed to automatically execute the worm copy when the drive is accessed and Autorun is enabled Payload Drops other malware Worm:VBS/Slogod.X drops the following file, with the "hidden", "system", and "archive" attributes: <system folder>\win.exe - may be detected as Trojan:Win32/VB Modifies icons and friendly names for certain files Worm:VBS/Slogod.X modifies the following registry entries so that VBS files are displayed with the same icon as MP3 files: Adds value: "Default" With data: <mp3 icon file> In subkey: HKLM\SOFTWARE\Classes\Vbsfile\DefaultIcon It also modifies the following registry entries to change the friendly type name of VBS and MPĀ£ files: Adds value: "FriendlyTypeName" With data: "MP3 Audio" In subkey: HKCR\VBSFile Adds value: "FriendlyTypeName" With data: "Good Songs" In subkey: HKCR\mp3file Modifies system settings Worm:VBS/Slogod.X modifies the following registry entries: Turns off the creation of checkpoints by Windows Installer: Adds value: "LimitSystemRestoreCheckpointing" With data: 1 In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer Disables Windows System Restore: Adds value: "DisableSR" With data: 1 In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore Stops the Windows Update service: Adds value: "Start" With data: 4 In subkey: HKLM\SYSTEMCurrentControlSet\Services\wuauserv Stops the Windows Security Center service: Adds value: "Start" With data: 4 In subkey: HKLM\SYSTEMCurrentControlSet\Services\wscsvc Disables Windows Security Center alerts: Adds value: "AntiVirusOverride" With data: 1 In subkey: HKLM\SOFTWARE\Microsoft\Security Center Stops Windows Firewall service: Adds value: "Start" With data: 4 In subkey: HKLM\SYSTEMCurrentControlSet\Services\SharedAccess It also modifies the following registry entries to change Windows script settings: Adds value: "DisplayLogo" With data: 0 Adds value: "Timeout" With data: 0 Adds value: "Enabled" With data: 1 In subkey: "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" Worm:VBS/Slogod.X also periodically modifies following registry entries: Changes Internet Explorer settings: Adds value: "Window Title" With data: "" Adds value: "Start Page" With data: "http://www.google.com" In subkey: HKCU\Software\Microsoft\Internet Explorer\Main Enables Autorun on the computer: Adds value: "NoDriveTypeAutoRun" With data: 0 In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Modifies the way that hidden files are displayed in Windows Explorer: Adds value: "SuperHidden" With data: 1 Adds value: "HideFileExt" With data: 1 Adds value: "ShowSuperHidden" With data: 0 Adds value: "Hidden" With data: 0 In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Adds value: "CheckedValue" With data: 0 In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Analysis by Shawn WangLast update 18 August 2010