Win32/AutoRun.VB.CH [Threat Name] go to Threat

Win32/AutoRun.VB.CH [Threat Variant Name]

Category worm
Size 192512 B
Detection created Mar 25, 2009
Detection database version 3960
Aliases Backdoor.Win32.VB.ibs (Kaspersky)
  Gen:Trojan.Heur.B0847B5E4E (BitDefender)
  WORM_VB.HRY (TrendMicro)
Short description

Win32/AutoRun.VB.CH is a worm that steals sensitive information. The worm can send the information to a remote machine. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed the worm copies itself in the following locations:

  • %system%\­%random1%.exe (192512 B)
  • %windir%\­inf\­%random2%.exe (192512 B)
  • %windir%\­%random3%.exe (192512 B)
  • %commonprogramfiles%\­%random4%.exe (192512 B)
  • %windir%\­system\­%random5%.exe (192512 B)
  • %windir%\­Config\­%random6%.exe (192512 B)
  • %system%\­%random7%.exe (192512 B)

A string with variable content is used instead of %random1-7% .


The files are then executed.


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "tDefault" = "%system%\­%random1%.exe"
    • "Settings" = "%windir%\­%random3%.exe"
    • "SystemT" = "%windir%\­system\­%random5%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RSetting" = "%windir%\­inf\­%random2%.exe"
    • "UserTools" = "%commonprogramfiles%\­%random4%.exe"
    • "CheckS" = "%windir%\­config\­%random6%.exe"
    • "DeviceSys" = "%system%\­%random7%.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Default]
    • "001" = "%random1%"
    • "002" = "%random2%"
    • "003" = "%random3%"
    • "004" = "%random4%"
    • "005" = "%random5%"
    • "006" = "%random6%"
    • "007" = "%random7%"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "EnableFirewall" = 0
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following names:

  • program.exe
  • arquivos.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Information stealing

Win32/AutoRun.VB.CH is a worm that steals sensitive information.


The following information is collected:

  • operating system version
  • Internet Explorer version
  • computer name
  • computer IP address
  • user name
  • list of disk devices and their type

The worm can send the information to a remote machine. The FTP protocol is used.

Other information

The worm contains a backdoor. It can be controlled remotely.


The worm acquires data and commands from a remote computer or the Internet. The worm contains a list of (1) FTP addresses.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • terminate running processes
  • run executable files
  • log keystrokes
  • obtain the list of shared network folders
  • open ports
  • connect to remote computers to a specific port

The worm creates the following files:

  • %system%\­Restore\­%variable%.kp_
  • %temp%\­InfoCommander.txt
  • %temp%\­Processos.txt

A string with variable content is used instead of %variable% .


The following programs are terminated:

  • 401COMUPD.EXE
  • ACTHOSP.EXE
  • Advchk.exe
  • alescan.exe
  • ALUNOTIFY.exe
  • apvxdwin.exe
  • ashAvast.exe
  • ashBug.exe
  • ashChest.exe
  • ashCmd.exe
  • ashCnsnt.exe
  • ashDisp.exe
  • ashEnhcd.exe
  • ashLogV.exe
  • ashLogV.exe
  • ashMaiSv.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashPopWz.exe
  • ashQuick.exe
  • ashQuick.exe
  • ashServ.exe
  • ashServ.exe
  • ashSimp2.exe
  • ashSimp2.exe
  • ashSimpl.exe
  • ashSimpl.exe
  • ashSkPcc.exe
  • ashSkPcc.exe
  • ashSkPck.exe
  • ashSkPck.exe
  • ashUpd.exe
  • ashUpd.exe
  • ashWebSv.exe
  • ashWebSv.exe
  • assist.exe
  • aswChLic.exe
  • aswRegSvr.exe
  • aswRegSvr.exe
  • aswRunDll.exe
  • aswUpdSv.exe
  • aswUpdSv.exe
  • AUPDATE.exe
  • avciman.exe
  • AVENGINE.EXE
  • Avg.exe
  • avgam.exe
  • avgamsvr.exe
  • avgcc.exe
  • avgcfgex.exe
  • avgchk.exe
  • avgchk.exe0
  • avgcmgr.exe
  • avgcsrvx.exe
  • avgdiag.exe
  • avgdiagex.exe
  • avgdumpx.exe
  • avgemc.exe
  • avgfrw.exe
  • avginet.exe
  • avgiproxy.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgscan.exe
  • avgscanx.exe
  • avgsrmax.exe
  • avgtray.exe
  • avgui.exe
  • avgupd.exe
  • avgupdln.exe
  • avgupsvc.exe
  • avgvv.exe
  • avgw.exe
  • avgwdsvc.exe
  • backlog.exe
  • blindman.exe
  • bootwarn.exe
  • ccimscan.exe
  • cfgconv.exe
  • cfgwiz.exe
  • copyx64.exe
  • fixcfg.exe
  • fixfp.exe
  • FwAct.exe
  • Iface.exe
  • Inicio.exe
  • kpf4gui.exe
  • kpf4ss.exe
  • LUALL.exe
  • lucomserver.exe
  • LUInit.exe
  • mcagent.exe
  • mcappins.exe
  • mcdash.exe
  • Mcdetect.exe
  • mcinfo.exe
  • mcinsupd.exe
  • mcmnhdlr.exe
  • mcregwiz.exe
  • McShield.exe
  • McTskshd.exe
  • mcupdate.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • McVSEscn.exe
  • mcvsftsn.exe
  • mcvsmap.exe
  • mcvsshld.exe
  • mghtml.exe
  • MpCmdRun.exe
  • MSASCui.exe
  • msconfig.exe
  • MsMpEng.exe
  • naiavfin.exe
  • navapw32.exe
  • navstub.exe
  • navw32.exe
  • navwnt.exe
  • ndd32.exe
  • NDETECT.exe
  • norton.exe
  • nprotect.exe
  • nvapsvc.exe
  • oasclnt.exe
  • obc.exe
  • passrv.exe
  • PAVCL.COM
  • pavdr.exe
  • PAVFIRES.EXE
  • PAVFNSVR.EXE
  • pavjobs.exe
  • Pavkre.exe
  • PAVPROT.EXE
  • pavsched.exe
  • PAVSCRIP.EXE
  • PAVSRV51.EXE
  • Pavw.exe
  • PFDNNT.exe
  • PLATASKS.exe
  • PPFW.exe
  • prcview.exe
  • prevsrv.exe
  • PSClean.exe
  • PsImSvc.exe
  • PtrInst.exe
  • qconsole.exe
  • regedit.exe
  • regprot.exe
  • regwdoc.exe
  • ROLSTART.EXE
  • sched.exe
  • sched.exe
  • SDISK32.EXE
  • si32.exe
  • siregist.exe
  • SNDMon.exe
  • SNDMon.exe
  • sp.exe
  • SrvLoad.exe
  • SymantecRootInstaller.exe
  • sysdoc32.exe
  • taskmgr.exe
  • ue32.exe
  • Upgrader.exe
  • urllstck.exe
  • usrprmpt.exe
  • VisthAux.exe
  • VisthLic.exe
  • VisthUpd.exe
  • vptray.exe
  • wdscan.exe
  • WebProxy.exe
  • windoc.exe
  • wipinfnt.exe
  • wipinfse.exe
  • WIZHOSP.EXE
  • WSCLnch.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.