Date discovered:18/04/2008
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:~18.000 Bytes
IVDF version:

 General Method of propagation:
   • Mapped network drives

   •  Mcafee: W32/Autorun.worm.cg
   •  Kaspersky: Worm.VBS.Autorun.r
   •  TrendMicro: VBS_AGENT.AMAF
   •  F-Secure: Worm.VBS.Autorun.r
   •  Sophos: VBS/Autorun-EC
   •  Bitdefender: Worm.VBS.Autorun.D

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Access to floppy disk
   • Drops files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\.vbe
   • %SYSDIR%\wbem\.vbe
   • %drive%:\.vbe

The following files are created:

%drive%:\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\software\microsoft\windows\currentversion\policies\explorer\
   • %computer name% = .vbe

The following registry key is added:

– [HKLM\software\%computer name%]
   • %system-dependent%

The following registry key is changed:

Various Explorer settings:
– [HKCU\software\microsoft\windows\currentversion\explorer\advanced]
   New value:
   • showsuperhidden = 0

説明の挿入者 Andrei Gherman の 2008年6月17日火曜日
説明の更新者 Andrei Gherman の 2008年6月17日火曜日

戻る . . . .