VBS.Worm.Runauto.A
|
Spreading:
|
high
|
|
|
Damage:
|
medium
|
|
Size:
|
aprox 27 kb
|
|
Discovered:
|
2008 Jun 19
|
SYMPTOMS:
- Existence of these files :%system32%\.vbe , %windows%\.vbe
- Presence in this key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" of the following value : " %windows%system32\.vbe"
- The key HKLM\Software\{Computer name}
TECHNICAL DESCRIPTION:
Upon execution the malware changes the attributes of the file to "Read Only" and "Hidden" . This way the user can't see it anymore. After it makes copies of itself into these locations :
%system32%\.vbe , %windows%\.vbe [ the path are relative to the ones where the user has installed the operating system ]
Creates these registry keys :
- "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" with the value of the {Computer name} that leads to this file "%windows%system32\.vbe". This is done so the virus is executed at startup.
- [HKEY_LOCAL_MACHINE\SOFTWARE\{Computer name}]
"til"="UC" [looks like a signature of the virus]
"tjs"="708"
"djs"="{Date of Infection}"
"ded"="0"
"osw"="4"
It copies onto removable storages and executes itself trough an "
autorun.inf" file.
Removal instructions:
Please let BitDefender disinfect your files.
ANALYZED BY:
Daniel Chipiristeanu, virus researcher
