JS/Victory [Threat Name] go to Threat

JS/Victory.A [Threat Variant Name]

Category worm
Size 62559 B
Aliases Trojan.Win32.AutoRun.cmo (Kaspersky)
  RDN/Autorun.worm!bu.virus (McAfee)
  Trojan:Win32/Otran (Microsoft)
Short description

JS/Victory.A is a worm that spreads via shared folders and removable media. The file is run-time compressed using RAR SFX, UPX .

Installation

When executed, the worm creates the following files:

  • %temp%\­RarSFX%variable%\­autorun.inf (844 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­message.bat (2529 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­msexcel.bas (1623 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­network.bat (506 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­regedit.bat (73 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­regedit.reg (758 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­victory.sys (71190 B, JS/Victory.A)
  • %temp%\­RarSFX%variable%\­winword.bas (1523 B, JS/Victory.A)

The worm creates copies of the following files (source, destination):

  • %originalmalwarefilename%, %appdata%\­Wicrosoft\­Mindows\­mplayer.exe
  • %system%\­wscript.exe, %appdata%\­Wicrosoft\­Mindows\­services.exe
  • %temp%\­RarSFX%variable%\­autorun.inf, %appdata%\­Wicrosoft\­Mindows\­autorun.inf
  • %temp%\­RarSFX%variable%\­message.bat, %appdata%\­Wicrosoft\­Mindows\­message.bat
  • %temp%\­RarSFX%variable%\­msexcel.bas, %appdata%\­Wicrosoft\­Mindows\­msexcel.bas
  • %temp%\­RarSFX%variable%\­network.bat, %appdata%\­Wicrosoft\­Mindows\­network.bat
  • %temp%\­RarSFX%variable%\­regedit.bat, %appdata%\­Wicrosoft\­Mindows\­regedit.bat
  • %temp%\­RarSFX%variable%\­regedit.reg, %appdata%\­Wicrosoft\­Mindows\­regedit.reg
  • %temp%\­RarSFX%variable%\­victory.sys, %appdata%\­Wicrosoft\­Mindows\­victory.sys
  • %temp%\­RarSFX%variable%\­winword.bas, %appdata%\­Wicrosoft\­Mindows\­winword.bas

The worm may create copies of itself using the following filenames:

  • %cdburnarea%\­startup.exe

The worm creates copies of the following files (source, destination):

  • %appdata%\­Wicrosoft\­Mindows\­mplayer.exe, %startup%\­startup.exe

This causes the worm to be executed on every system start.


The worm creates the following files:

  • %appdata%\­Wicrosoft\­Mindows\­victory.dat
  • %appdata%\­Wicrosoft\­Mindows\­victory.win

The worm launches the following processes:

  • %appdata%\­Wicrosoft\­Mindows\­services.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "SuperHidden" = 1
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­IniFileMapping\­Autorun.inf]
    • "(Default)" = "@SYS:DoesNotExist"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Office\­%version%\­Word\­Security]
    • "Level" = 1
    • "AccessVBOM" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Office\­%version%\­Excel\­Security]
    • "Level" = 1
    • "AccessVBOM" = 1

A string with variable content is used instead of %variable% .

Spreading

The worm may create copies of itself on removable or remote drives.


The worm may create copies of itself using the following filenames:

  • %drive%\­startup.exe

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm searches for files with the following file extensions:

  • .jp
  • .mp
  • .fl
  • .xl
  • .pp
  • .md
  • .rar
  • .zip
  • .doc
  • .rtf
  • .txt
  • .wri
  • .avi

When the worm finds a file matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the file found in the search.


The extension of the file is ".lnk" .


The worm searches for files with the following file extensions:

  • .lnk

The content of the found file is overwritten by the program code of the malware.

File infection

JS/Victory.A can infect certain file types.


The worm inserts a copy of itself into Microsoft Word, Microsoft Excel documents.


The following filename is used: %variable%.avi


The %variable% is one of the following strings:

  • sex
  • hot
  • xxx
  • clip
  • film
  • video
  • movie
  • porno
  • hardcore
  • striptease
Other information

The worm can trigger unexpected keyboard and/or mouse behavior.


The worm may display the following message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.