search
close

VBS_WOBFUS.GG

September 25, 2013
 Analysis by: Adrian Cofreros
 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW


This worm arrives by connecting affected removable drives to a system. It arrives by accessing affected shared networks. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It disables Task Manager, Registry Editor, and Folder Options.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

File Size:

Varies

File Type:

VBS

Memory Resident:

Yes

Initial Samples Received Date:

04 Apr 2012

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It arrives by accessing affected shared networks.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following copies of itself into the affected system:

  • %System%\drivers\alice.sys

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Autostart Technique

This worm modifies the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
Userinit = "%System%\userinit.exe,%System%\wscript.exe //e:vbscript.encode %System%\drivers\alice.sys"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableConfig = "1"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = "2"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFind = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFileAssociate = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile
InfoTip = "prop:Type"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile
NeverShowExt = ""

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile
QuickTip = "prop:Type"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile
TileInfo = "prop:Type"

HKEY_CLASSES_ROOT\VBEFile
InfoTip = "prop:Type"

HKEY_CLASSES_ROOT\VBEFile
NeverShowExt = ""

HKEY_CLASSES_ROOT\VBEFile
QuickTip = "prop:Type"

HKEY_CLASSES_ROOT\VBEFile
TileInfo = "prop:Type"

It modifies the following registry entries:

HKEY_CLASSES_ROOT\VBEFile
{default} = "Microsoft Office Word 2007 Document"

(Note: The default value data of the said registry entry is VBScript Encoded Script File.)

HKEY_CLASSES_ROOT\VBEFile
FriendlyTypeName = "Microsoft Office Word 2007 Document"

(Note: The default value data of the said registry entry is @%SystemRoot%\System32\wshext.dll,-4803.)

HKEY_CLASSES_ROOT\VBEFile\DefaultIcon
{default} = ""C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE",15"

(Note: The default value data of the said registry entry is %SystemRoot%\System32\WScript.exe,2.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile
{default} = "Microsoft Office Word 2007 Document"

(Note: The default value data of the said registry entry is VBScript Encoded Script File.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile
FriendlyTypeName = "Microsoft Office Word 2007 Document"

(Note: The default value data of the said registry entry is @%SystemRoot%\System32\wshext.dll,-4803.)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
VBEFile\DefaultIcon
{default} = ""C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE",15"

(Note: The default value data of the said registry entry is %SystemRoot%\System32\WScript.exe,2.)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = "0"

(Note: The default value data of the said registry entry is 1.)

It creates the following registry entry(ies) to disable Task Manager, Registry Tools and Folder Options:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = "1"

Propagation

This worm drops copies of itself in network drives such as the following:

  • {network drive letter}:\alice.alc

It drops the following copy of itself in all physical and removable drives:

  • {removable drive letter}:\alice.alc
  • {physical drive letter}:\alice.alc

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[autorun]
shellexecute=wscript.exe //e:vbscript.encode alice.alc
shell\open\command=wscript.exe //e:vbscript.encode alice.alc
shell\explore\command=wscript.exe //e:vbscript.encode alice.alc

NOTES:

It hides the following file(s):

  • {file name}.doc

It creates the following copies of itself and has the same file name as file it hides:

  • {file name}.vbe