SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Worm.Runauto.A

HIGH
MEDIUM
aprox 27 kb
()

Symptoms

  1. Existence of these files :%system32%\.vbe , %windows%\.vbe
  2. Presence in this key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" of the following value : " %windows%system32\.vbe"
  3. The key HKLM\Software\{Computer name}
          

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

Upon execution the malware changes the attributes of the file to "Read Only" and "Hidden" . This way the user can't see it anymore. After it makes copies of itself into these locations : %system32%\.vbe , %windows%\.vbe [ the path are relative to the ones where the user has installed the operating system ]

Creates these registry keys :
  1. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" with the value of the {Computer name} that leads to this file "%windows%system32\.vbe". This is done so the virus is executed at startup.
  2. [HKEY_LOCAL_MACHINE\SOFTWARE\{Computer name}]
    "til"="UC" [looks like a signature of the virus]
    "tjs"="708"
    "djs"="{Date of Infection}"
    "ded"="0"
    "osw"="4"

It copies onto removable storages and executes itself trough an "autorun.inf" file.
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources