VBS_AUTORUN.AONN

 Analysis by: Christopher Daniel So

 ALIASES:

Worm:VBS/HiLink.A (Microsoft), Worm/AutoRun (AVG), VBS/Solow.CN (Panda)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes registry entries, causing some applications and programs to not function properly.

  TECHNICAL DETAILS

File Size:

15,104 bytes

File Type:

VBS

Initial Samples Received Date:

18 Aug 2015

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
txtfile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
txtfile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
inifile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
inffile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
batfile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
cmdfile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
regfile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
chm.file\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
chm.file\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
hlpfile\shell\open\
command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" %1 %* "

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Applications\iexplore.exe\shell\
open\command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" OIE "

HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\
shell\OpenHomePage\Command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" OIE "

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\
shell\open\command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" OMC "

HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\
shell\explore\command
(Default) = "%SystemRoot%\System32\WScript.exe "{malware path and filename}" EMC "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
NOHIDDEN
CheckedValue = "3"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\
SHOWALL
CheckedValue = "2"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoDriveTypeAutoRun = "0"

It deletes the following registry entries:

HKEY_CLASSES_ROOT\lnkfile
IsShortcut =