WORM_VBNA.AH

This worm drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

Installation

This worm drops the following copies of itself into the affected system:

• %User Profile%\{random filename}.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random string} = %User Profile%\{random filename}.exe

Propagation

This worm drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
Action=Open folder to view files
ShellExecute={random filename}.exe
Icon=%System%\shell32.dll,4
UseAutoplay=1

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Other Details

Based on analysis of the codes, it has the following capabilities:

• It drops .LNK files that point to a copy of itself to automatically execute dropped copies when the drives are accessed. These .LNK files use the names of the existing folders. This is to execute the malware copy first before opening the real folder. It changes the attributes of the original folders into Hidden and System to trick the users.
• It also drops the following file in all removable drives: ert.dll - detected as TROJ_ZAPCHAST.LA, z{random letters}.lnk - detected as LNK_STUXNET.SM