Virus:VBS/Invadesys.B is a VBScript virus which infects HTML and VBScript files, and spreads using Autorun.
The virus infects by prepending a copy of itself to a host file.
Installation
Virus:VBS/Invadesys.B is a script file, and as such, it requires the script interpreter "wscript.exe" in order to execute.
When executed, the virus copies itself to the following locations:
- <system folder>\{hcq9d-tvcwx-x9qrg-j4b2y-gr2tt-cm3hy-26vyw-6jryc-x66gx-jvy2d}.vbs
- %windir%\{hcq9d-tvcwx-x9qrg-j4b2y-gr2tt-cm3hy-26vyw-6jryc-x66gx-jvy2d}.vbs
Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKCU\SoftWare\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "Load"
With data: "<system folder>\{hcq9d-tvcwx-x9qrg-j4b2y-gr2tt-cm3hy-26vyw-6jryc-x66gx-jvy2d}.vbs"
In subkey: HKLM\SOFTWARE\Classes\txtfile\shell\open\command
Sets value: "(default)"
With data: %SystemRoot%\system32\wscript.exe %windir%\{hcq9d-tvcwx-x9qrg-j4b2y-gr2tt-cm3hy-26vyw-6jryc-x66gx-jvy2d}.vbs%1 %*
The virus may also modify the following registry entry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NoDriveTypeAutoRun"
With data: "129"
It stops the display of files that have 'system' and 'hidden' attributes by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
Virus:VBS/Invadesys.B hides the 'Show hidden files and folders' option in the 'Folders Options' menu in Windows Explorer by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Sets value: "CheckedValue"
With data: "0"
Spreads via...
File infection
The virus searches the computer for fixed and removable drives; if found, each drive is searched for the first 300 files with the following extension:
- .hta
- .htm
- .html
- .asp
- .vbs
If found, the virus checks for an infection marker to ensure it does not infect a file multiple times. It then prepends a copy of itself to the file. If the file is HTML, the malware inserts itself into HTML Script tags. However, it does not infect files with a size greater than 150,000 bytes.
Fixed and removable drives
Virus:VBS/Invadesys.B searches the computer for fixed and removable drives, if found makes a copy of itself at:
<Drive>:\{HCQ9D-TVCWX-X9QRG-J4B2Y-GR2TT-CM3HY-26VYW-6JRYC-X66GX-JVY2D}.vbs
It then writes an autorun configuration file named 'autorun.inf' pointing to the file listed above. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the virus is launched automatically.The autorun.inf file created by the virus is detected as Virus:VBS/Invadesys!inf.
Payload
Deletes files
Virus:VBS/Invadesys.B searches the system for fixed and removable drives , if found the malware searches for files with the following extensions:
If found, the malware checks if the file name contains certain characters, and deletes the file if they match.
Terminates processes
The virus checks if the following processes are currently executing, and if found, terminates them:
- ras.exe
- 360tray.exe
- taskmgr.exe
- regedit.exe
- msconfig.exe
- SREng.exe
- USBAntiVir.exe
Additional information
The malware may also create a file <system folder>\OK.INI, which contains details about the date and time it was executed.
Analysis by Ray Roberts
