Follow:

 

Worm:VBS/VBSWGbased.gen


Worm:VBS/VBSWGbased.gen is a detection for generic script code that is known to be automatically generated by a malware tool.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Worm:VBS/VBSWGbased.gen is a detection for generic script code that is known to be automatically generated by a malware tool.
 
A virus with this detection copies itself to various locations in the system, such as the Windows Startup folder, the Windows folder, and so on. It also create autostart entries in the system registry so that they are automatically run every time Windows starts up.
 
It can spread via email. It sends an email containing a virus copy to all contacts in a user's Microsoft Outlook account using a predefined format for the subject, body, and attachment. For example, a particular variant is known to send out a copy of itself as an attachment with the file name AnnaKournikova.jpg.vbs, enticing a recipient to open the email using social engineering techniques.
 
It can also spread by infecting VBS files found in the system.
 
More recent variants may also the ability to copy themselves to other drives in the system, such as USB drives, along with the file autorun.inf, which may allow the virus copy to automatically run when the drive is accessed.
 
As payload, it alters script files for mIRC or PIRCH programs so that a copy is automatically sent to other users when the chat program is run. Depending on the variant, it may also execute a specific payload, such as displaying a message on a certain date, or altering the Internet Explorer home page.
 
Later variants of this virus are encrypted in an attempt to bypass detection by antivirus products.
 
Analysis by Patrik Vicol

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.71.936.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Aug 10, 2008
This entry was updated on: May 26, 2010

This threat is also detected as:
  • VBS/Oxiaply.A (CA)
  • VBS/Autorun-FM (Sophos)
  • Win32.Worm.VBS.C (BitDefender)
  • Worm.VBS.Autorun.o (Kaspersky)
  • VBS/Autorun.worm.k (McAfee)
  • VBS/Autorun.worm.au (McAfee)
  • VBS.Runauto (Symantec)