Installation
Worm:VBS/Eneg.A can be installed to the following files on your PC:
Spreads via
Removable drives
This threat creates a copy of itself as a hidden file called Microsoft.exe on removable drives, such as USB flash drives.
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Payload
Allows backdoor access and control
The worm adds the following administrator account to allow backdoor access to your PC to download other malware:
- User Name: NTUSER
- Password: ntpassword
It then opens a remote desktop service to allow a remote hacker to connect to your PC.
Downloads files
This worm downloads the following malicious files to your PC:
-
killerav.x10.mx/system.bat
to %APPDATA%\Windows Update\system.bat to stop your security software from running
-
mylogs.x10.mx/system.exe
to %APPDATA%\Windows Update\system.exe
-
wbot.hebergratuit.com/update.jpg
to %APPDATA%\Microsoft\SYSTEM\update.exe
-
welc0me.x10.mx/explorer.exe
to%APPDATA%\Microsoft\SYSTEM\explorer.exe
Deletes user information
Worm:VBS/Eneg.A deletes all user data, including profiles, cookies, and history from the following web browsers:
-
Chrome
-
Firefox
-
Internet Explorer
-
Opera
-
Thunderbird
It also deletes your profile data from Skype.
The worm also turns of User Account Control (UAC).
Additional information
The worm sets HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden with value "2" to hide its files on removable drives.
It only spreads in French-language-based PCs.
Analysis by Zhitao Zhou
