Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:VBS/Sasan.A.2
Date discovered:15/03/2007
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:No
VDF version:6.38.00.62
IVDF version:6.38.00.63 - Thursday, March 15, 2007

 General Aliases:
   •  Kaspersky: Worm.VBS.Sasan.a
   •  F-Secure: Worm.VBS.Sasan.a
   •  Sophos: VBS/Sasan-C
   •  Eset: VBS/Pica.NAA


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\.MS32DLL.dll.vbs
   • %WINDIR%\boot.ini
   • %drive%\.MS32DLL.dll.vbs



The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     shellexecute=wscript.exe .MS32DLL.dll.vbs

 Registry – [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "winboot"="wscript.exe /E:vbs %WINDIR%\boot.ini"
   • "MS32DLL"="%WINDIR%\.MS32DLL.dll.vbs"



The following registry key is added:

– [HKCU\Software\Microsoft\Windows Scripting Host\Settings]
   • "Timeout"="0"



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   New value:
   • "Hidden"="1"
   • "HideFileExt"="1"
   • "ShowSuperHidden"=dword:00000000
   • "SuperHidden"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NoDriveTypeAutoRun"=dword:00000000

Description inserted by Andrei Ivanes on Friday, April 27, 2007
Description updated by Andrei Ivanes on Friday, April 27, 2007

Back . . . .