VBS/Naiad [Threat Name] go to Threat
VBS/Naiad.R [Threat Variant Name]
| Category | worm |
| Size | 6351 B |
| Signature database version | 7026 (Apr 04, 2012) |
| Aliases | Virus.VBS.Agent.h (Kaspersky) |
| VBS/Azoog.worm.virus (McAfee) | |
| Worm:VBS/Autorun.BS (Microsoft) | |
| VBS.Runauto.B (Symantec) |
Short description
VBS/Naiad.R is a worm which tries to download other malware from the Internet. It is able to spread by copying itself into the root folders of available drives.
Installation
When executed the worm copies itself in the following locations:
- %system%\`.vbe
- %system%\aini.ini
The worm creates the following file:
- %system%\autorun.inf
The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "explorer" = "`.vbe"
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = "00000000"
Spreading
VBS/Naiad.R is a worm that spreads by copying itself into the root folders of available drives.
The following filename is used:
- %drive%\`.vbs
The worm creates the following file:
- %drive%\autorun.inf
The AUTORUN.INF file contains the path to the malware executable.
Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The worm may execute the following commands:
- explorer.exe %drive%
The worm may create the text file:
- C:\date.bin
- %malwarefolder%\temp.txt
The worm contains an URL address. It tries to download a file from the address.
The file is stored in the following location:
- %temp%\%variable%.exe
The file is then executed. The HTTP protocol is used.
A string with variable content is used instead of %variable% .