Home / malwarePDF  

Worm:VBS/Slogod.E


First posted on 01 January 2020.
Source: Microsoft

Aliases :

Worm:VBS/Slogod.E is also known as VBS/Slogod.N, VBS/Sasan-Fam, VBS/Pica.worm.gen, VBS.Solow, VBS_SASAN.A.

Explanation :

Worm:VBS/Slogod.E is a worm that spreads by dropping copies of itself in all drives except for A:. InstallationUpon execution, Worm:VBS/Slogod.E creates the following copies of itself in the Windows folder: %windir%.MGT_reg32.dll.vbs %windir%oot.ini It then modifies the system registry so that it automatically runs every time Windows starts up: Adds value: "MS32DLL"
With data: ".MGT_reg32.dll.vbs"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "MGT_reg"
With data: "%windir%.MGT_reg32.dll.vbs"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "winboot"
With data: "wscript.exe /E:vbs %windir%oot.ini"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun It also creates the following registry entry to assist in running its VBS copies: Adds value: "Timeout"
With data: "0"
To subkey: HKCUSoftwareMicrosoftWindows Scripting HostSettings Note that the last three registry entries are recreated every ten seconds to enable this worm to continue running even if the autostart entries are removed. Spreads Via... Logical DrivesWorm:VBS/Slogod.E drops copies of itself in all writeable drives (except for A:) as the file .MGT_reg32.dll.vbs. It also drops the file autorun.inf, which is an initialization file that automatically executes the worm copy when the drive is accessed and Autoplay is enabled. The file autorun.inf is detected as Worm:VBS/Slogod.E!inf. To ensure that Autoplay is enabled in all drives, this worm adds the following registry entry: Adds value: "NoDriveTypeAutoRun"
With data: "0"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer Note that the worm performs its propagation routine every ten seconds to ensure that at least one drive always has a copy of this worm. Payload Modifies System SettingsWorm:VBS/Slogod.E modifies system settings to prevent the user from viewing hidden files and file extensions. These registry entries are also added every ten seconds: Adds value: "Hidden"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Adds value: "SuperHidden"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Adds value: ""ShowSuperHidden""
With data: "0"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Adds value: "HideFileExt"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced Additional InformationWorm:VBS/Slogod.E contains the following text in its code:
slow and silent (sas)1.0  Analysis by Patrik Vicol

Last update 01 January 2020

 

TOP

Malware :

Family: