Win32/AutoRun.VB.AQE [Threat Name] go to Threat

Win32/AutoRun.VB.AQE [Threat Variant Name]

Category worm
Size 180224 B
Detection created Dec 02, 2011
Detection database version 6677
Aliases Worm.Win32.WBNA.bul (Kaspersky)
  Worm:Win32/Vobfus.gen!O (Microsoft)
Short description

Win32/AutoRun.VB.AQE is a worm that spreads via shared folders and removable media. The worm can download and execute a file from the Internet.

Installation

When executed, the worm copies itself into the following location:

  • %userprofile%\­%variable1%.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%" = "%userprofile%\­%variable1%.exe /%variable2%"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0

A string with variable content is used instead of %variable1-2% .

Spreading

Win32/AutoRun.VB.AQE is a worm that spreads via shared folders and removable media.


The worm may create copies of itself using the following filenames:

  • %removabledrive%\­Secret.exe
  • %removabledrive%\­Sexy.exe
  • %removabledrive%\­Porn.exe
  • %removabledrive%\­Passwords.exe
  • %removabledrive%\­%variable1%.exe
  • %remotedrive%\­Secret.exe
  • %remotedrive%\­Sexy.exe
  • %remotedrive%\­Porn.exe
  • %remotedrive%\­Passwords.exe
  • %remotedrive%\­%variable1%.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm searches for files and folders in the root folders of removable drives.


The worm copies itself into the root folders of removable drives using filename based on the name of an existing file or folder.


The worm searches for files with the following file extensions:

  • .mp3
  • .avi
  • .wma
  • .wmv
  • .wav
  • .mpg
  • .mp4
  • .doc
  • .txt
  • .pdf
  • .xls
  • .jpg
  • .jpe
  • .bmp
  • .gif
  • .tif
  • .png

When the worm finds a file or folder matching the search criteria, it creates a new copy of itself.


The file name and extension of the newly created file is derived from the original file/folder name.


An additional ".exe" extension is appended.


The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The worm creates the following files:

  • %removabledrive%\­x.mpeg (0 B)
  • %remotedrive%\­x.mpeg (0 B)
Payload information

The worm searches for files with the following file extensions:

  • %removabledrive%\­*.inf
  • %removabledrive%\­*.exe
  • %removabledrive%\­*.scr
  • %removabledrive%\­*.dll
  • %removabledrive%\­*.ico

The worm then deletes found files.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (3) URLs. It tries to connect to remote machine to port:

  • 8000 (TCP)

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The worm hooks the following Windows APIs:

  • TerminateProcess (kernel32.dll)
  • TerminateThread (kernel32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.