We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:VBS/Invadesys.F
Detected by Microsoft Defender Antivirus
Aliases: VBS/AutoRun.AL (Command) VBS/AutoRun.DK (Avira) Trojan.Script.406293 (BitDefender) VBS.Autoruner.83 (Dr.Web) HTML.Rce (Ikarus) VBS/Solow.CN (Panda) VBS.Agent.q (Rising AV) VBS.Invadesys.A (Symantec)
Summary
Worm:VBS/Invadesys.F is a worm written in VBscript that spreads by infecting writable drives. The worm could execute automatically by exploiting a vulnerability discussed in and mitigated by Microsoft Security Bulletin MS10-046. The worm may lower the computer's security settings and disable processes. Twelve weeks after infecting the local computer, the worm ejects the optical drive and displays an image of a skull and crossbones.
To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.
Enabling registry editor
This threat may modify the computer to prevent Registry Editor from running. To enable Registry Editor in your computer, please do the following:
- Run a command prompt. Click Start>Run and type cmd.
- In the command prompt, type the following as is and press Enter:
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f - Type exit at the command prompt.
Enabling the command prompt
This threat may disable the command prompt, which further prevents you from reversing its other computer changes. To enable the command prompt, follow these instructions:
- Using an administrator account, open the Group Policy Object Editor. To do this, go to Start and in the search box, type gpedit.msc.
- The Group Policy Object Editor should open. Go to Local Computer Policy>User Configuration>Administrative Templates>System and select Prevent access to the command prompt:
- Double-click on Prevent access to the command prompt and select Enable:
-
Press OK and exit the Local Group Policy Editor.
Additional remediation instructions for Worm:VBS/Invadesys.F
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s:
- Restoring your System Registry:
- For Windows 7: http://windows.microsoft.com/en-us/windows7/Back-up-the-registry
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Back-up-the-registry
- For Windows XP: http://support.microsoft.com/kb/322756/
- Changing file associations:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Change-the-program-that-opens-a-type-of-file
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Change-the-program-that-opens-a-type-of-file
- For Windows XP: http://support.microsoft.com/kb/307859
- Viewing hidden and/or system files:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/Show-hidden-files
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Show-hidden-files
- For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/win_fcab_show_file_extensions.mspx?mfr=true
- Enabling Task Manager:
- For Windows Vista: http://windows.microsoft.com/en-us/windows-vista/Troubleshoot-Task-Manager-problems
- For Windows XP: http://support.microsoft.com/kb/913623/
- Using the system's recovery options:
- For Windows XP: Installing and using the Recovery Console in Windows XP
- For Windows Vista: System Recovery Options in Windows Vista
- For Windows 7: System Recovery Options in Windows 7
- For other support and help related articles, go to:
- Windows 7: http://support.microsoft.com/gp/windows7
- Windows Vista: http://support.microsoft.com/ph/11732
- Windows XP: http://support.microsoft.com/ph/1173
- Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx
Follow us
