Home / malwarePDF  

Worm:VBS/Autorun.BU


First posted on 24 August 2012.
Source: Microsoft

Aliases :

Worm:VBS/Autorun.BU is also known as VBS/AutoRun.HD (ESET), HTML/Rce.Gen (Avira), VBS.Autorun (Ikarus).

Explanation :



Worm:VBS/Autorun.BU is a worm that spreads by dropping copies of itself into all available removable drives. It also modifies system security settings.



Installation

When run, Worm:VBS/Autorun.BU copies itself to "<system folder>\domz.vbs".

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is "C:\Winnt\System32"; and for XP, Vista, and 7 it is "C:\Windows\System32".

As a part of its installation process, the malware may modify the following registry entry in order to run at Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "domz"
With data: "wscript.exe <system folder>\domz.vbs"

Spreads via...

Removable drives

When run, Worm:VBS/Autorun.BU copies itself as "domz_maintenance.vbs" to all removable drives.

It also places an "autorun.inf" file, detected as Worm:VBS/Autorun.BU!inf, in the root directory of the targeted removable drive. Such files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It should be noted that "autorun.inf" files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation media.



Payload

Modifies system security settings

Worm:VBS/Autorun.BU modifies your computer's security settings by making the following changes to the registry:

It ensures the system utility Task Manager is enabled:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
With data: "0"

It ensures the Run item appears in the Start Menu:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoRun"
With data: "0"

It ensures the Folder Options item appears in all Windows Explorer menus and the Control Panel:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoFolderOptions"
With data: "0"

Note: Removing access to these options may hinder your ability to detect and remove malware.

It enables the use of My Computer to access the content of selected drives:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoViewOnDrive"
With data: "0"

It enables the use of registry editors:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableRegistryTools"
With data: "0"

It ensures the Command Prompt is enabled:

In subkey: HKCU\Software\Policies\Microsoft\Windows\System
Sets value: "DisableCMD"
With data: "0"

It ensures you can add printers:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoAddPrinter"
With data: "0"

It ensures that the Log Off option appears on the Start menu:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoLogoff"
With data: "0"

It ensures you can connect to networks:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoNetworkConnections"
With data: "0"

It ensures that desktop icons appear on the desktop:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDesktop"
With data: "0"

It ensures that Autorun is enabled:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutorun"
With data: "0"



Analysis by Vincent Tiu

Last update 24 August 2012

 

TOP

Malware :

Family: