VBS_MAGRE.A
Trojan.VBS.VAR (BitDefender); VBS/Agent.NLO!worm (Fortinet)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
49,152 bytes
VBS
Yes
09 Jan 2018
Arrival Details
This Worm arrives via removable drives.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Worm drops the following copies of itself into the affected system:
- %User Profile%\ntuser.vbe
- {Removable drive letter}:\ntuser.vbe
(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
Autostart Technique
This Worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
ntuser = wscript.exe //B "%User Profile%\ntuser.vbe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
ntuser = wscript.exe //B "%User Profile%\ntuser.vbe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
ntuser = wscript.exe //B "%User Profile%\ntuser.vbe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ntuser = wscript.exe //B "%User Profile%\ntuser.vbe"
Other System Modifications
This Worm adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\ntuser
(Default) = false - {mm/dd/yyyy}
Other Details
This Worm connects to the following possibly malicious URL:
- http://{BLOCKED}-lc5.{BLOCKED}game.com:10284/is-ready