VBS_AUTORUN.SML
Windows 2000, XP, Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Copies itself in all available physical drives, Propagates via removable drives
This worm employs registry shell spawning by adding certain registry entries. This allows this malware to execute even when other applications are opened.
It modifies registry entries to hide files with System and Read-only attributes.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
TECHNICAL DETAILS
724,616 bytes
VBS
Yes
03 Dec 2010
Drops files
Installation
This worm drops the following copies of itself into the affected system:
- %System%\winjpg.jpg
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
CTFMON = "%System%\wscript.exe /E:vbs %System%\winjpg.jpg"
It employs registry shell spawning to ensure its execution when certain file types are accessed by adding the following entries:
HKEY_CLASSES_ROOT\exefile\shell\
Open application\command
(Default) = "%System%\winxp.exe"
HKEY_CLASSES_ROOT\exefile\shell\
Scan for virus,s\command
(Default) = "%System%\wscript.exe /E:vbs %System%\winjpg.jpg"
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_CURRENT_USER\Software\Microsoft\
Windows Scripting Host\Settings
DisplayLogo = 0
HKEY_CURRENT_USER\Software\Microsoft\
Windows Scripting Host\Settings
Timeout = 0
HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
DisplayLogo = 0
HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
Timeout = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Script Host\Settings
Enabled = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\Installer
LimitSystemRestoreCheckpointing = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows NT\SystemRestore
DisableSR = 1
It modifies the following registry key(s)/entry(ies) as part of its installation routine:
HKEY_CLASSES_ROOT\mp3file
FriendlyTypeName = "Good Songs"
(Note: The default value data of the said registry entry is "%Windows%\inf\unregmp2.exe,-10002".)
HKEY_CLASSES_ROOT\VBSFile
FriendlyTypeName = "MP3 Audio"
(Note: The default value data of the said registry entry is %System%\wshext.dll,-4802,.)
HKEY_CLASSES_ROOT\VBSFile\DefaultIcon
(Default) = "%Program Files%\WINDOW~3\wmplayer.exe,-120"
(Note: The default value data of the said registry entry is %SystemRoot%\System32\WScript.exe,2.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = 0
(Note: The default value data of the said registry entry is 91.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4
(Note: The default value data of the said registry entry is 2.)
It modifies the following registry entries to hide files with System and Read-only attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
Hidden = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
HideFileExt = 1
(Note: The default value data of the said registry entry is 0.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = 0
(Note: The default value data of the said registry entry is 1.)
Propagation
This worm drops the following copy of itself in all physical and removable drives:
- winfile.jpg
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
shellexecute=Wscript.exe /e:vbs winfile.jpg
Dropping Routine
This worm drops the following files:
- %System%\winxp.exe - detected as BKDR_BIFROSE.DPW
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.
Other Details
This worm does the following:
- It creates the following registry entries to enable automatic execution everytime an associated application is run:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\{Applications Executable File Name}
Debugger = "%System%\wscript.exe /E:vbs %System%\winjpg.jpg"{Applications Executable File Name} has the following values:
- MSConfig.exe
- procexp.exe
- regedit.exe
- taskmgr.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
SOLUTION
8.900
7.701.00
15 Dec 2010
7.701.00
15 Dec 2010
Step 1
For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.
Step 2
Remove malware files dropped/downloaded by VBS_AUTORUN.SML
- BKDR_BIFROSE.DPW
Step 3
Restart in Safe Mode
Step 4
Enable Registry Editor
Step 5
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- CTFMON = %System%\wscript.exe /E:vbs %System%\winjpg.jpg
- CTFMON = %System%\wscript.exe /E:vbs %System%\winjpg.jpg
- In HKEY_CLASSES_ROOT\exefile\shell\Open application\command
- (Default) = %System%\winxp.exe
- (Default) = %System%\winxp.exe
- In HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s\command
- (Default) = %System%\wscript.exe /E:vbs %System%\winjpg.jpg
- (Default) = %System%\wscript.exe /E:vbs %System%\winjpg.jpg
- In HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings
- DisplayLogo = 0
- DisplayLogo = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings
- Timeout = 0
- Timeout = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
- DisplayLogo = 0
- DisplayLogo = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
- Timeout = 0
- Timeout = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
- AntiVirusOverride = 1
- AntiVirusOverride = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
- Enabled = 1
- Enabled = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
- LimitSystemRestoreCheckpointing = 1
- LimitSystemRestoreCheckpointing = 1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- DisableSR = 1
- DisableSR = 1
Step 6
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- MSConfig.exe
- MSConfig.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- procexp.exe
- procexp.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- regedit.exe
- regedit.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- taskmgr.exe
- taskmgr.exe
Step 7
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CLASSES_ROOT\mp3file
- From: FriendlyTypeName = Good Songs
To: %Windows%\inf\unregmp2.exe,-10002
- From: FriendlyTypeName = Good Songs
- In HKEY_CLASSES_ROOT\VBSFile
- From: FriendlyTypeName = MP3 Audio
To: %System%\wshext.dll,-4802,
- From: FriendlyTypeName = MP3 Audio
- In HKEY_CLASSES_ROOT\VBSFile\DefaultIcon
- From: (Default) = %Program Files%\WINDOW~3\wmplayer.exe,-120
To: %SystemRoot%\System32\WScript.exe,2
- From: (Default) = %Program Files%\WINDOW~3\wmplayer.exe,-120
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: Hidden = 0
To: 1
- From: Hidden = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: HideFileExt = 1
To: 0
- From: HideFileExt = 1
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- From: ShowSuperHidden = 0
To: 1
- From: ShowSuperHidden = 0
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- From: NoDriveTypeAutoRun = 0
To: 91
- From: NoDriveTypeAutoRun = 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- From: CheckedValue = 0
To: 1
- From: CheckedValue = 0
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
- From: Start = 4
To: 2
- From: Start = 4
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
- From: Start = 4
To: 2
- From: Start = 4
Step 8
Search and delete AUTORUN.INF files created by VBS_AUTORUN.SML that contain these strings
Step 9
Scan your computer with your Trend Micro product to delete files detected as VBS_AUTORUN.SML. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.