VBS/Naiad [Threat Name] go to Threat

VBS/Naiad.R [Threat Variant Name]

Category worm
Size 6351 B
Detection created Apr 04, 2012
Signature database version 7026
Aliases Virus.VBS.Agent.h (Kaspersky)
  VBS/Azoog.worm.virus (McAfee)
  Worm:VBS/Autorun.BS (Microsoft)
  VBS.Runauto.B (Symantec)
Short description

VBS/Naiad.R is a worm which tries to download other malware from the Internet. It is able to spread by copying itself into the root folders of available drives.

Installation

When executed the worm copies itself in the following locations:

  • %system%\­`.vbe
  • %system%\­aini.ini

The worm creates the following file:

  • %system%\­autorun.inf

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "explorer" = "`.vbe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = "00000000"
Spreading

VBS/Naiad.R is a worm that spreads by copying itself into the root folders of available drives.


The following filename is used:

  • %drive%\­`.vbs

The worm creates the following file:

  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm may execute the following commands:

  • explorer.exe %drive%

The worm may create the text file:

  • C:\­date.bin
  • %malwarefolder%\­temp.txt

The worm contains an URL address. It tries to download a file from the address.


The file is stored in the following location:

  • %temp%\­%variable%.exe

The file is then executed. The HTTP protocol is used.


A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.