Follow:

 

Worm:VBS/Autorun.BG


Worm:VBS/Autorun.BG is a worm that spreads via fixed, removable and network drives, and RAM disks. It changes the user’s Internet Explorer start page, and attempts to enable Autorun functionality on all drives of the computer. In certain situations it may also attempt to shut down the computer.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL computers connected to the network that can access or host shares.
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.
Additional remediation instructions for Worm:VBS/Autorun.BG
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s: 

Threat behavior

Worm:VBS/Autorun.BG is a worm that spreads via fixed, removable and network drives, and RAM disks. It changes the user’s Internet Explorer start page, and attempts to enable Autorun functionality on all drives of the computer. In certain situations it may also attempt to shut down the computer.
Installation
When run, Worm:VBS/Autorun.BG creates the following files, some with the attributes "hidden", "system", and "read-only", in the root folder of all fixed drives:
 
  • ntv.vbs - copy of itself
  • autorun.inf - INF file designed to automatically run the worm copy when the drive is accessed and Autorun is enabled; detected as Worm:Win32/Autorun.BG!inf
  • Nude Teen Videos.lnk - only set as "read-only"; when opened by the user, it runs the worm copy
 
The LNK file may look like the following:
 
 
When the worm copy is run, it opens a Windows Explorer window for the drive that it is run from. For example, if the worm copy is run from C:\, the Windows Explorer window opens to C:\.
 
It writes other copies to the following locations:
 
  • <system folder>\dns_cache.vbs
  • <templates>\prn_share.vbs
 
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. <templates> refers to any folder named "Templates", for example, %USERPROFILE%\Templates
 
Worm:VBS/Autorun.BG creates the following registry entries to ensure that it is launched every time the computer starts:
 
Adds value: "DnsCache"
With data: "wscript.exe "<system folder>\dns_cache.vbs""
In key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "PrnShare"
With data: "wscript.exe "<templates>\prn_share.vbs""
In key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
It also adds the following shortcut file:
 
  • <start menu>\DNS Cache.lnk - when opened, this shortcut file executes "dns_cache.vbs"
 
Note: <start menu> refers to a variable location that is determined by the malware by querying the Operating System. The default location for the 'Start Menu' folder for Windows 9x, Me, NT, 2000, XP and 2003 is '%USERPROFILE%\Start Menu'. For Windows Vista and 7, the default location is '%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu'.
 
This LNK file may look like the following:
 
 
Worm:VBS/Autorun.BG also writes the following file:
 
  • <templates>\adblock.cfg
 
It checks for the existence of this file to prevent more than one copy from running at a time.
Spreads via...
Fixed, network, and removable drives
When run, Worm:VBS/Autorun.BG creates the following files, some with the attributes "hidden", "system", and "read-only", in the root folder of all network and removable drives, and RAM disks:
 
  • ntv.vbs - copy of itself
  • autorun.inf - INF file designed to automatically run the worm copy when the drive is accessed and Autorun is enabled; detected as Worm:Win32/Autorun.BG!inf
  • Nude Teen Videos.lnk - only set as "read-only"; when opened by the user, it runs the worm copy
 
When the worm copy is run, it opens a Windows Explorer window for the drive that it is run from. For example, if the worm copy is run from Z:\, the Windows Explorer window opens to Z:\.
Payload
Monitors its presence in the computer
Worm:VBS/Autorun.BG monitors whether either its original copy or the copy at "<system folder>\dns_cache.vbs" has been deleted. If one of these files has been deleted, it replaces it by making a copy of the remaining file. If both have been deleted, it attempts to shut down the system.
 
Modifies browser start page
Worm:VBS/Autorun.BG changes the user's Internet Explorer start page to "www.google.com" by making the following registry modification:
 
Adds value: "Start Page"
With data: "http://www.google.com/"
In key: HKCU\Software\Microsoft\Internet Explorer\Main
 
Changes Autorun settings
Worm:VBS/Autorun.BG attempts to enable the Autorun functionality on all types of drives by making the following registry modification:
 
Adds value: "NoDriveTypeAutoRun"
With data: "0"
In key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
 
Analysis by David Wood

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • <system folder>\dns_cache.vbs
    • <templates>\prn_share.vbs
    • <start menu>\DNS Cache.lnk
    • In all drives:
      • ntv.vbs
      • Nude Teen Videos.lnk
  • The presence of the following registry modifications:
  • Added value: "DnsCache"
    With data: "wscript.exe "<system folder>\dns_cache.vbs""
    In key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Added value: "PrnShare"
    With data: "wscript.exe "<templates>\prn_share.vbs""
    In key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • The presence of the following shortcut files:
 

Prevention


Alert level: Severe
First detected by definition: 1.87.1709.0
Latest detected by definition: 1.93.731.0 and higher
First detected on: Aug 11, 2010
This entry was first published on: Aug 11, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • VBS/AutoRun.AM (Command)
  • Worm.VBS.Autorun.hu (Kaspersky)
  • W32/Autorun-AWI (Sophos)
  • VBS.Runauto (Symantec)