Worm:VBS/Autorun.AX is a VBScript worm that attempts to copy itself to all drives except A:. It creates an administrator user account and modifies the way the computer displays hidden and system files.
Installation
Worm:VBS/Autorun.AX may arrive in the system as the following VBScript files with file attributes of "system", "hidden" and "read-only":
%windir%\UserConfig.vbs - Worm:VBS/Autorun.AX
<system folder>\UserConfig.vbs - Worm:VBS/Autorun.AX
%widir%\System\userinfo.dat - backup of the file "UserConfig.vbs"
%temp%\UserConfig.vbs - Worm:VBS/Autorun.AX
During infection by the worm, these additional files are created:
<system folder>\UserConfig.reg - registry import configuration file; detected as
Worm:VBS/Autorun.AX!reg<system folder>\UserConfig.bat - batch script
The batch script contains instructions that modify the registry using the registry import configuration file as in the following example:
regedit /s %system%\UserConfig.reg
The registry is modified to run the worm copy at each Windows start.
Adds value: "RunUserConfig"
With data: “%systemdir%\UserConfig.vbs"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In addition, the batch script modifies the file attributes of all worm-related files to "hidden", "system", "read-only" as in the following example:
attrib <file name> +s +h +r
Spreads via…
All drives
The worm attempts to copy itself to drives B: to Z: as "
UserConfig.vbs". If there is no floppy disk in drive B:, an error message may display to indicate that there is no disk in the drive. Worm:VBS/Autorun.AX then writes an autorun configuration file named "
autorun.inf", detected as
Worm:VBS/Autorun.AX!inf pointing to the file "
UserConfig.vbs". When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Payload
Creates user account
The worm runs the script "<system folder>\UserConfig.cmd", which contains the following commands to add an administrator user account named "SYSTEMROOT" to the infected computer:
net user SYSTEMROOT systemroot /add
net localgroup administradores SYSTEMROOT /add
Modifies Windows settings
The worm modifies the registry to disallow viewing of files with attributes "hidden" and "system".
Modifies value: "ShowSuperHidden"
With data: “dword:00000000”
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Modifies value: "SuperHidden"
With data: “dword:00000001”
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Analysis by Wei Li
