VBS/AutoRun.HX [Threat Name] go to Threat

VBS/AutoRun.HX [Threat Variant Name]

Category worm
Size 714468 B
Detection created Feb 13, 2013
Detection database version 8005
Aliases Trojan.VBS.Agent.ok (Kaspersky)
  VBS/Dropper.trojan (McAfee)
  Win32:Agent-AQTU (Avast)
Short description

VBS/AutoRun.HX is a worm that spreads via shared folders and removable media. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm creates the following folders:

  • %systemdrive%\­Kernel
  • %systemdrive%\­Kernel\­lpt1
  • %systemdrive%\­security
  • %systemdrive%\­security\­lpt1
  • %systemroot%\­system32\­system
  • %systemroot%\­system32\­system\­msg

The worm copies itself to the following locations:

  • %systemdrive%\­security\­blood.dat
  • %systemdrive%\­kernel\­r00t3r

The %systemdrive%\Kernel, %systemdrive%\security folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The %systemdrive%\kernel\r00t3r file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The worm creates the following files:

  • %systemdrive%\­security\­system.vbs (125 B)
  • %allusersprofile%\­rescue.vbe (1890 B, VBS/TrojanDownloader.Psyme.NJJ)
  • %systemroot%\­system32\­system\­msg\­config.txt (426 B)
  • %drive%\­system32\­system\­svchost.exe (86880 B)

The worm creates copies of the following files (source, destination):

  • %systemroot%\­system32\­wscript.exe, %systemdrive%\­security\­svchost.exe

The worm executes the following commands:

  • cmd /K sc create system binPath= "%systemroot%\­system32\­system\­svchost.exe msg" start= auto
  • net start system
  • sc description system "processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque d'etre endommagé."
  • EXIT

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "rescue" = "%allusersprofile%\­rescue.vbe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Script Host\­Settings]
    • "Timeout" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 0
    • "DisableRegistryTools" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­sdate]
    • "sdate" = "39"
  • [HKEY_CLASSES_ROOT\­Applications\­Notepad2.exe\­Shell\­Open]
    • "command" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CLASSES_ROOT\­Applications\­notepad.exe\­Shell\­Open]
    • "command"="%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CLASSES_ROOT\­Batfile\­Shell\­Edit\­Command]
    • "" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CLASSES_ROOT\­VBEFile\­Shell\­Edit\­Command]
    • "" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­System]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­system\­svchost.exe msg"
    • "ObjectName" = "LocalSystem"
    • "Description" = "processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque d'etre endommagé."

The worm may delete files stored in the following folders:

  • %systemdrive%\­Kernel
  • %systemdrive%\­security
Spreading

The worm searches for available local and removable drives.


The worm may delete the following files:

  • %drive%\­*.vbe
  • %drive%\­*.lnk
  • %drive%\­config.dat
  • %drive%\­autorun.inf
  • %drive%\­microsoft.dat

The worm searches for the following folders:

  • %drive%\­*.*

The worm creates the following file:

  • %drive%\­%variable%.lnk

The name of the new file is based on the name of the folder found in the search.


The file is a shortcut to a malicious file.


The worm copies itself to the following locations:

  • %drive%\­config.dat
Other information

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
    • "EnableLua" = 0
  • [HKEY_CLASSES_ROOT\­VBEFile\­DefaultIcon]
    • "" = "%systemroot%\­system32\­shell32.dll,1"

The worm may delete the following Registry entries:

  • [HKEY_CLASSES_ROOT\­lnkfile]
    • "IsShortCut"

The worm may create the following files:

  • %temp%\­uac.bat (1883 B)
  • %temp%\­tmp.bat (321 B/1094 B, VBS/Agent.NCF)
  • %temp%\­ADMIN.vbe (292 B)
  • %temp%\­CPBA.bat (474 B)
  • %temp%\­tp.vbe (175 B)

The files are then executed.


The worm may attempt to download files from the Internet. The worm contains a list of 8 URLs. The HTTP protocol is used.


These are stored in the following locations:

  • %systemdrive%\­security\­zoneh.dat
  • %systemdrive%\­security\­bump.jpg
  • %systemdrive%\­security\­av.jpg
  • %systemdrive%\­security\­system.jpg
  • %systemdrive%\­kernel\­explorer.jpg
  • %systemdrive%\­kernel\­update.jpg
  • %temp%\­booter.dat

The worm moves the following files (source, destination):

  • %systemroot%\­system32\­wscript.exe, %systemdrive%\­security\­svchost.exe
  • %systemdrive%\­security\­zoneh.dat, %systemdrive%\­security\­zoneh.exe
  • %systemdrive%\­security\­bump.jpg, %systemdrive%\­security\­bump.vbe
  • %systemdrive%\­security\­av.jpg, %systemdrive%\­security\­av.bat
  • %systemdrive%\­security\­system.jpg, %systemdrive%\­security\­system.exe
  • %systemdrive%\­kernel\­explorer.jpg, %systemdrive%\­kernel\­explorer.exe
  • %systemdrive%\­kernel\­update.jpg, %systemdrive%\­kernel\­update.exe
  • %temp%\­booter.dat, %temp%\­reskp.exe

The worm may create copies of the following files (source, destination):

  • %systemdrive%\­kernel\­*.vbe, directory %temp%
  • %scriptpath%, %temp%

The following files are deleted:

  • %systemdrive%\­*.lnk
  • %systemdrive%\­autorun.inf

The worm may execute the following commands:

  • cmd /K takeown /F %systemdrive%\­kernel /A /R /D O &
  • CACLS %systemdrive%\­Kernel /E /T /C /G %username%:F &
  • takeown /F %systemdrive%\­security /A /R /D O &
  • CACLS %systemdrive%\­security /E /T /C /G %username%:F &
  • takeown /F %allusersprofile%\­/A /R /D O &
  • takeown /a /f %systemroot%\­System32\­wscript.exe &
  • ICACLS %systemroot%\­System32\­wscript.exe /Grant %username%:F &
  • takeown /F "%systemdrive%\­system Volume Information" /A /R /D O &
  • CACLS "%systemdrive%\­system Volume Information" /E /T /C /G %username%:F &
  • EXIT
  • cmd /K md %systemroot%\­system32\­system &
  • md %systemroot%\­system32\­system\­msg &
  • EXIT
  • cmd /K del/f/q/s %systemdrive%\­security\­system.bat &
  • del/f/q/s %systemdrive%\­security\­system.vbe &
  • del/f/q/s %systemdrive%\­security\­index.exe &
  • del/f/q/s %systemdrive%\­security\­system.exe &
  • del/f/q/s %systemdrive%\­kernel\­explorer.exe &
  • del/f/q/s %systemdrive%\­kernel\­update.exe &
  • del/f/q/s "%temp%\­reskp.exe" &
  • rd/q/s %systemdrive%\­system32 &
  • rd/q/s %systemdrive%\­system &
  • EXIT
  • cmd /K vssadmin delete shadows /all /quiet &
  • cd/d "%systemdrive%\­system volume Information" &
  • del/f/s/q/a "%systemdrive%\­system volume Information\­*.*" &
  • EXIT
  • cmd /K xcopy /C /H /Y /R %drive%\­config.dat %systemdrive%\­security &
  • attrib -s -h %systemdrive%\­security\­*.dat &
  • ren %systemdrive%\­security\­*.dat blood.dat &
  • EXIT
  • cmd /K xcopy /C /H /Y /R %drive%\­config.dat %systemdrive%\­kernel &
  • attrib -s -h %systemdrive%\­kernel\­*.dat &
  • ren %systemdrive%\­kernel\­*.dat r00t3r &
  • attrib +s +h %systemdrive%\­kernel\­*.* &
  • EXIT
  • cmd /K cd/d %systemdrive%\­security &
  • copy /b /y blood.dat + &
  • EXIT

The worm removes system restore points.


It contains the following strings:

  • '========================================================================================='
  • '
  • ' C0d3 N4me : S4T4n
  • ' Cr34t0r : R4PTOR
  • ' Created for personal use , modifications or others are not authorized
  • ' For more informations, looking 4 me { - CNG4L on Race }
  • '
  • '========================================================================================='

Please enable Javascript to ensure correct displaying of this content and refresh this page.