Win32/AutoRun.VB.MA [Threat Name] go to Threat

Win32/AutoRun.VB.MA [Threat Variant Name]

Category worm
Size 40960 B
Detection created Feb 24, 2010
Detection database version 4893
Aliases Worm.Win32.AutoRun.bdqn (Kaspersky)
  Swisyn.p.trojan (McAfee)
  Worm:Win32/Orbina!rts (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/AutoRun.VB.MA is a worm that spreads via removable media.


Installation

When executed, the worm copies itself into the following location:

  • %windir%\­winlogon.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "NVIDIA Media Center Library" = "%windir%\­winlogon.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "NVIDIA Media Center Library" = "%windir%\­winlogon.exe"

The worm quits immediately if the user name is one of the following:

  • Hanuele Baser
  • Michael Roach
  • Owner

The worm terminates its execution if it detects that it's running in a specific virtual environment.


The worm quits immediately if it is run within a debugger.


The worm quits immediately if the executable file path contains one of the following strings in its path:

  • C:\­analyzer\­scan

The worm quits immediately if any of the following applications is detected:

  • Sandboxie
  • QEMU
  • VMware
  • VirtualBox
Spreading on removable media

Win32/AutoRun.VB.MA is a worm that spreads via removable media.


The worm copies itself into the root folders of removable drives using the following name:

  • autorun.exe

The worm copies itself to the following location:

  • %removabledrive%\­DrivesGuideInfo\­S-1-7-21-1439977401-7444491467-600013330-9141\­autorun.exe

The worm creates the following files:

  • %removabledrive%\­autorun.inf (313 B)
  • %removabledrive%\­DrivesGuideInfo\­S-1-7-21-1439977401-7444491467-600013330-9141\­desktop.ini (65 B)

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm creates the following files:

  • %removabledrive%\­%variable%.lnk

The file is a shortcut to a malicious file.


A string with variable content is used instead of %variable% .


The name of the file may be based on the name of an existing file or folder.

Other information

Win32/AutoRun.VB.MA is a worm which tries to download other malware from the Internet.


The worm generates various URL addresses.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %windows%\­winhelp32.exe
  • %windows%\­wlo.exe
  • %windows%\­version.txt

The files are then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.