Win32/AutoRun.VB.RT [Threat Name] go to Threat

Win32/AutoRun.VB.RT [Threat Variant Name]

Category worm
Size 357797 B
Detection created Jul 28, 2010
Detection database version 5319
Aliases Trojan.Win32.Monder.dksy (Kaspersky)
  TrojanDropper:Win32/Vobfus.D (Microsoft)
  Trojan.Dropper (Symantec)
Short description

Win32/AutoRun.VB.RT is a worm that spreads via shared folders and removable media. The worm is usually a part of other malware. The file is run-time compressed using 7-Zip SFX .

Installation

When executed, the worm creates the following files:

  • %profile%\­a.exe (138240 B, Win32/AutoRun.VB.RT)
  • %profile%\­1x.exe (73728 B, Win32/Videspra.AE)
  • %profile%\­2x.exe (121856 B, Win32/TrojanDownloader.FakeAlert.AQI)
  • %profile%\­3x.exe (79872 B, Win32/Olmarik.UL)
  • %profile%\­4x.exe (73728 B, Win32/Cimag.CN)
  • %profile%\­%variable%.exe (138240 B, Win32/AutoRun.VB.RT)

The files are then executed.


In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "%profile%\­%variable%.exe"

A string with variable content is used instead of %variable% .


The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
Spreading

The worm may create copies of itself on removable or remote drives.


The worm creates the following files:

  • %drive%\­%originalmalwarefilename%.exe (138240 B, Win32/AutoRun.VB.RT)
  • %drive%\­%originalmalwarefilename%x.exe (138240 B, Win32/AutoRun.VB.RT)
  • %drive%\­x.exe (138240 B, Win32/AutoRun.VB.RT)
  • %drive%\­zzz.dll (10752 B, Win32/AutoRun.VB.RU)

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm creates the following files:

  • %drive%\­New Folder.lnk
  • %drive%\­Passwords.lnk
  • %drive%\­Documents.lnk
  • %drive%\­Pictures.lnk
  • %drive%\­Music.lnk
  • %drive%\­Video.lnk
  • %drive%\­%existingfolder%.lnk

These are shortcuts to files of the worm .


The name of the file may be based on the name of an existing file or folder.


The worm creates the following files:

  • %drive%\­%variable%.lnk (161 B, LNK/Exploit.CVE-2010-2568)

It exploits the CVE-2010-2568 vulnerability.


A string with variable content is used instead of %variable% .

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The worm hooks the following Windows APIs:

  • TerminateProcess (kernel32.dll)
  • TerminateThread (kernel32.dll)

It avoids processes which contain any of the following strings in their path:

  • alg.exe
  • csrss.exe
  • firefox.exe
  • lsass.exe
  • services.exe
  • smss.exes
  • spoolsv.exe
  • svchost.exe
  • winlogon.exe
  • explorer.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.