Worm:VBS/Autorun.J is a VBScript-based worm that spreads by copying itself to fixed and removable drives. It may download arbitrary files and VBScript commands from a remote server and execute them at scheduled times.
Installation
When executed, Worm:VBS/Autorun.J copies itself to <system folder>\.vbe and <system folder>\wbem\.vbe, and then launches <system folder>\.vbe.
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It creates the following registry entry in an attempt to ensure that the worm runs on system startup:
Under key: HKLM\software\microsoft\windows\currentversion\policies\explorer\run
Adds value: "<computer name>"
With data: ".vbe"
If it is run from the root directory of a drive, it may launch an Explorer window for that drive.
Spreads Via…
Fixed and Removable Drives
The worm copies itself to the root directory of fixed and removable drives other than A: or B:. It may also drop an autorun.inf to the same location. This is an attempt to ensure that the worm is run whenever the removable drive is attached.
Payload
Downloads and Executes Arbitrary Files And Code
The worm may periodically connect to remote servers at oz.7766.org or 996628.cn from which it may download VBScript commands. These commands may either be run immediately or at specified dates and times.
These details may be stored in registry entries under the following key:
HKLM\software\<computer name>
Values used to store the details include the following:
idd
dna
tsw
tco
osw
ged
Commands may be scheduled using the task scheduler, or by copying them into a file at %Start Menu%\Programs\Startup\.vbs. This ensures the commands will be run on system startup.
The worm may also download and run executable files, which are saved to the %temp% directory.
Modifies System Settings
The worm attempts to ensure that hidden files are not displayed by Windows Explorer by making the following registry change:
To key: HKCU\software\microsoft\windows\currentversion\explorer\advanced
Sets value: showsuperhidden
With data: 0
This value is rewritten periodically.
If the year of the system date is 2007, and a process named avp.exe is running, the date is briefly set back by a year, before being restored to its previous value. This may be an attempt to disable the update functionality of some antivirus software.
Terminates Processes
The worm may attempt to terminate the following processes:
360tray.exe
kwatch.exe
Additional Information
The worm stores configuration and status information in the following registry locations:
Under key: HKLM\software\<computer name>
Adds value: til
With data: “SY”
Adds value: tjs
With data: <a numerical value>
Adds value: djs
With data: <one day before the current date>
Adds value: ded
With data “0”
Analysis by David Wood