VBS/Butsur [Threat Name] go to Threat

VBS/Butsur.A [Threat Variant Name]

Category worm
Size 3642 B
Aliases Worm.VBS.Solow.b (Kaspersky)
  Worm:VBS/Slogod.C (Microsoft)
  VBS/Solow.A (F-Prot)
Short description

VBS/Butsur.A is a worm that spreads by copying itself into certain folders.


When executed, the worm copies itself into the following location:

  • %windir%\­MS32DLL.dll.vbs

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MS32DLL" = "%windir%\­MS32DLL.dll.vbs"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Window Title" = "Hacked by Godzilla"

The worm copies itself into the root folders of fixed and/or removable drives using the following name:

  • MS32DLL.dll.vbs

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm launches the following processes:

  • explorer.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.