PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via removable drives, Copies itself in all available logical drives

This Trojan arrives via removable drives. It may arrive bundled with malware packages as a malware component. It may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It creates registry entries to enable its automatic execution at every system startup.

It drops copies of itself in all removable drives. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

  TECHNICAL DETAILS

Payload: Displays message/message boxes, Drops files

Arrival Details

This Trojan arrives via removable drives.

It may arrive bundled with malware packages as a malware component.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{Name of currently logged in user} = "%System%\{Name of currently logged in user}.vbs"

Other System Modifications

This Trojan modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Window Title = "Hacked by {malware file name of initially executed file}"

Propagation

This Trojan drops copies of itself in all removable drives.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

NOTES:

The said .INF file contains the following lines:

[AutoRun]
shellexecute=wscript.exe {malware file name of initially executed file}

This script displays the following message box(es):

  • Mutation of Trojan virus!

This script requires the presence of the normal file, WSCRIPT.EXE, to execute properly.

  SOLUTION

Minimum Scan Engine: 9.300
FIRST VSAPI PATTERN FILE: 4.408.01
FIRST VSAPI PATTERN DATE: 11 Apr 2007

Step 1

Scan your computer with your Trend Micro product to delete files detected as VBS_SOLOW.C. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 2

For Windows XP and Windows Server 2003 users, before doing any scans, please make sure you disable System Restore to allow full scanning of your computer.

NOTES:

To remove this malware, first identify the malware program.

Scan your computer with your Trend Micro antivirus product.

NOTE the path and file name of all files detected as VBS_SOLOW.C.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.

Terminating the WSCRIPT.EXE Process

This procedure terminates the legitimate process WSCRIPT.EXE, which this malware uses for its malicious routines.

1. Open Windows Task Manager.

  • On Windows 98 and ME, press CTRL+ALT+DELETE
  • On Windows NT, 2000, XP, and Server 2003, press CTRL+SHIFT+ESC, then click the Processes tab.

2. In the list of running programs*, locate the process:

  • WSCRIPT.EXE

3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your computer.

4. To check if the malware process has been terminated, close Task Manager, and then open it again.

5. Close Task Manager.

*NOTE: On computers running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process.

On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Task Manager or Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by either Task Manager or Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entry from the Registry

Removing the autostart entry from the registry prevents the malware from executing at startup.

If the registry entry below is not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:

    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run

  3. In the right panel, locate and delete the entry:

    {Name of currently logged in user} = "%System%\{Name of currently logged in user}.vbs"

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Restoring Modified Registry Entry

  1. Still in Registry Editor, in the left panel, double-click the following:

    HKEY_CURRENT_USER>Software>Microsoft>
    Internet Explorer>Main

  2. In the right panel, locate the entry:

    Window Title = "Hacked by {malware file name of file detected earlier}"

  3. Right-click on the value name and choose Modify. Delete the value data of this entry.
  4. Close Registry Editor.

Restoring AUTORUN.INF

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:

    AUTORUN.INF

  3. In the Look In drop-down list, select a drive, then press Enter.
  4. Select the file, then open using Notepad.
  5. Check if the following lines are present in the file:

    shellexecute=wscript.exe {malware file name of file detected earlier}

  6. If the lines are present, delete the file.
  7. Repeat steps 3 to 6 for AUTORUN.INF files in the remaining removable drives.
  8. Close Search Results.


Did this description help? Tell us how we did.