Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:08/05/2009
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:No
File size:159.364 Bytes
MD5 checksum:cdfe8adc8ae35bf9af057b22047541bf
VDF version:
IVDF version: - Friday, May 8, 2009

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: VBS/Autorun.worm.k
   •  Kaspersky: Worm.VBS.Autorun.ek
   •  Eset: VBS/AutoRun.BX

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops a malicious file
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\winjpg.jpg
   • %all drives%\winfile.jpg

The following files are created:

%all drives%\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     shellexecute=Wscript.exe /e:vbs winfile.jpg

%SYSDIR%\winxp.exe Furthermore it gets executed after it was fully created. Detected as: TR/Dropper.Gen

 Registry The following registry key is added in order to run the process after reboot:

   • regdiit="%SYSDIR%\winxp.exe"
   • CTFMON="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • winboot=-
   • MS32DLL=-

The following registry keys are added:

   • (Default)="%PROGRAM FILES%\Windows Media Player\wmplayer.exe,-120"

   • LimitSystemRestoreCheckpointing=dword:00000001

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   • DisableSR=dword:00000001

[HKLM\SOFTWARE\Microsoft\Security Center]
   • AntiVirusOverride=dword:00000001

[HKCR\exefile\shell\Scan for virus,s\command]
   • (Default)="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

[HKCR\exefile\shell\Open application\command]
   • (Default)="%SYSDIR%\winxp.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\taskmgr.exe]
   • Debugger="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • Debugger="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\MSConfig.exe]
   • Debugger="%SYSDIR%\wscript.exe /E:vbs %SYSDIR%\winjpg.jpg"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\procexp.exe]
   • Debugger="\winxp.exe"

[HKCU\Software\Microsoft\Windows Scripting Host\Settings]
   • DisplayLogo=dword:00000000
   • Timeout=dword:00000000

[HKLM\Software\Microsoft\Windows Script Host\Settings]
   • Enabled=dword:00000001

[HKCU\Software\Microsoft\Windows Script Host\Settings]
   • DisplayLogo=dword:00000000
   • Timeout=dword:00000000

The following registry keys are changed:

Various Explorer settings:
   New value:
   • CheckedValue=dword:00000000

Various Explorer settings:
   New value:
   • SuperHidden=dword:00000001
   • ShowSuperHidden=dword:00000000
   • HideFileExt=dword:00000001
   • Hidden=dword:00000000

Various Explorer settings:
   New value:
   • NoDriveTypeAutoRun=dword:00000000

   New value:
   • Start=dword:00000004

   New value:
   • Start=dword:00000004

   New value:
   • FriendlyTypeName="MP3 Audio"

   New value:
   • FriendlyTypeName="Good Songs"

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Ana Maria Niculescu on Tuesday, May 12, 2009
Description updated by Ana Maria Niculescu on Friday, July 17, 2009

Back . . . .