My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Vbs.Agent.E

LOW
LOW
~33Kb

Symptoms


presence of autorun.inf and {UserName}.vbs on all drives
unable to start: taskmgr.exe, regedit.exe, msconfig.exe, cmd.exe
presence of a .ini file: %systemroot%\system32\{UserName}.ini
and %systemroot%\system32\{UserName}.vbs

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Lita Catalin, virus researcher

Technical Description:

on first run
it generates a new code form of his own in which functions are randomly located in file
then copies itself in %systemroot%\system32\{UserName}.vbs

and starts to infect files with .hta .html .htm .asp and .vbs extension
infected files will contain the virus body at the beginning of them
anytime an infected file will be opened virus will run too
virus will infect up to 1000 files of a maximum size of 350000 bytes

it modifies registry values:

sets value of  "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load"
        to {path to .vbs}
  where {path to .vbs} is "%systemroot%\system32\{UserName}.vbs
   and {UserName} is the name of the username from the infected computer

sets values of "HKLM\Software\Classes\txtfile\shell\open\command\{Default}"
    "HKLM\Software\Classes\regfile\shell\open\command\{Default}"
   "HKLM\Software\Classes\chm.file\shell\open\command\{Default}"
     "HKLM\Software\Classes\hlpfile\shell\open\command\{Default}"
to "%systemroot%\system32\wscript.exe {path to .vbs} %1 %*"
all those to be sure will get executed most of the time

sets value of "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun"
to 0x81
and value of
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue"
to 0 hiding his files from user by disabling viewing files with hidden attribute

searches for any local or removable drive to copy there two files:
a copy of itself as {UserName}.vbs
and autorun.inf


it will periodicly check if any of the following processes is running:
ras.exe , 360tray.exe, taskmgr.exe, cmd.exe, cmd.com, regedit.exe, regedit.scr, regedit.pif, regedit.com, msconfig.exe, SREng.exe, USBAntiVir.exe
and if it finds any will try to kill it

it also checks for filenames containing predefined strings related to adult videos to delete them as a payload; those file extension are: .mpg, .rmvb, .avi, .rm