- presence of the file pagefiles.sys inside root directory of every drive
- presence of autorun.inf inside root directory of drives, pointing to the file described above
- presence of the file %windir%\win.exe
- presence of the file %system%\regedit.sys
- strange system behaviour (applications that simply refuze to run)
- computer slowdowns
Please let BitDefender disinfect your files.
Lutas Andrei Vlad, virus researcher
This is a VBS (Visual Basic Script) that comes encrypted with a trivial algorithm:
for i = 1 to len(vbss) DVBS = DVBS & Chr(Asc(Mid(vbss, i, 1)) - 1)
The only purpose of the raw script is to decrypt its rest of the body and execute it. After decryption, the script will perform the following actions:
- modify DisplayLogo and Timeout settings of the Windows Script Host
- add the following registry keys:
HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s\command\ with the value %windir%\system32\wscript.exe /E:vbs "%windir%\system32\regedit.sys"
HKEY_CLASSES_ROOT\exefile\shell\Open application\command\ with the value %windir%\win.exe
where %windows%\system32\regedit.sys is a copy of the worm. By adding these keys, it actually adds 2 new options to the explorer's contextual menu: "Scan for virus,s" and "Open applications". By right-clicking an exe-file and selecting one of these options, a user would actually run the worm (%system%\regedit.sys) or win.exe (which will be discused later).
- will add several entries of the following type:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\!HIJACKED_APP!\Debugger with value: %windir%\system32\wscript.exe /E:vbs "%windir%\system32\regedit.sys"
where !HIJACKED_APP! will be the following applications: drwtsn32.exe, taskmgr.exe, regedit.exe, rstrui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\!HIJACKED_APP!\Debugger with value %windir%\win.exe
where !HIAJCKED_APP! will contain security-software applications, screen-savers and other commercial applications (182 entries). This way, anytime one of these programs would be ran, the malicious script (%system%\regedit.sys) or %windir%\win.exe would get executed instead.
- remove the following registry entries:
- create autorun.inf file on every accesible drive (in order to be executed anytime one of those drives is accesed)
- open in Explorer.exe the path where the original worm-file is located (the directory it was executed in)
- drop and execute in %windir% another file: win.exe, which is a Backdoor and is already detected by BitDefender
- modify the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit setting its value to %windir%\system32\userinit.exe,wscript.exe /E:vbs %windir%\system32\regedit.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTFMON setting its value to %windir%\win.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled, by setting its value to 1 and making sure that scripting is not disabled.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue by setting its value to 0 and making sure that hidden files and folders won't be displayed by Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden, by setting its value to 1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden by setting its value to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt by setting its value to 1, in order to make file extensions invisible under Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden, by setting its value to 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun by setting its value to 0, in order to activate autorun on every drive
%windir% is a variable that refers to the Windows directory (usually C:\Windows)
%system% is a variable that refers to the system folder (usually C:\Windows\System32)