Worm:VBS/Autorun.BE is a VBScript worm that spreads to all writable drives, lowers Windows security and downloads an arbitrary file from a predefined URL, for example "menad26.ifrance.com".
Installation
When Worm:VBS/Autorun.BE runs, it copies itself as the following:
- <system folder>\imwin.jpg
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
In addition, Worm:VBS/Autorun.BE modifies the system registry so that it runs when certain other security applications are requested such as "Process Explorer", "System Restore", "Task Manager" and so on.
Adds value: "Debugger"
With data: "<system folder>\wscript.exe /e:vbs <system folder>\imwin.jpg"
To the following created subkeys:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwinxp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
Spreads via…
Removable and shared drives
The worm copies itself to each writable drive as "image.jpg". The worm then writes an autorun configuration file named "autorun.inf" pointing to "image.jpg". When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Lowers Windows security
Worm:VBS/Autorun.BE makes a series of modifications to the Windows system registry that lower Windows security or change Windows behaviors.
- Changes the default icon for VBScript files to match Windows Media Player file types
Sets value: "(default)"
With data: "%ProgramFiles%\windowsupdate\wmplayer.exe,-120"
In subkey: HKLM\SOFTWARE\Classes\Vbsfile\DefaultIcon
- Turns off setting System Restore check points when running a Windows installer application
Sets value: "LimitSystemRestoreCheckpointing"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
- Turns off System Restore
Sets value: "DisableSR"
With data: "1"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- Changes the "friendly name" association of VBScript file types to a user-trusted file type
Sets value: "FriendlyTypeName"
With data: "mp3 audio"
In subkey: HKLM\SOFTWARE\Classes\VBSFile
- Changes the "friendly name" association for MP3 audio files
Sets value: "FriendlyTypeName"
With data: "good songs"
In subkey: HKLM\SOFTWARE\Classes\mp3file
- Stops the Windows Update and Windows Security Center services
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Sets value: "Start"
With data: "4"
In subkey: HKLM\SYSTEM\ControlSet001\Services\wscsvc
- Disables notifications from the Windows Security Center if antivirus software is not installed
Sets value: "AntiVirusOverride"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
- Optimizes the execution of Windows Scripting Host files
Sets value: "DisplayLogo"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows Script Host\Settings
Sets value: "DisplayLogo"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows Scripting Host\Settings
- Enables the execution of Windows Script Host files
Sets value: "Enabled"
With data: "1"
In subkey: HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
- Disables showing hidden files, even if this setting was previously enabled
Sets value: "CheckedValue"
With data: "0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Disables viewing of files with file attributes "hidden" and "system"
Sets value: "SuperHidden"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Enables Autorun (autoplay) mode to run "autorun.inf" scripts when connecting to drives or media
Sets value: "NoDriveTypeAutoRun"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Downloads an arbitrary file
Worm:VBS/Autorun.BE attempts to contact a predefined URL to download and execute an arbitrary file. This worm has been observed to retrieve a file "boum.jpg" from the domain "menad26.ifrance.com". The retrieved file is saved to the local drive as the following:
- <system folder>\winxp.exe
The registry is modified to run the dropped executable at Windows start, or when .EXE executable file types are run, or if a user right-clicks a file or folder and selects "Scan for viruses".
Sets value: "regdiit"
With data: "<system folder>\winxp.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "(default)"
With data: "<system folder>\winxp.exe"
To subkey: HKLM\SOFTWARE\Classes\exefile\shell\Open application\command
Sets value: "(default)"
With data: "<system folder>\wscript.exe /e:vbs <system folder>\imwin.jpg"
In subkey: HKLM\SOFTWARE\Classes\exefile\shell\Scan for viruses\command
Analysis by Tim Liu
