VBS/Satoban [Threat Name] go to Threat
VBS/Satoban.A [Threat Variant Name]
Category | worm |
Size | 716 93 |
Aliases | Win32:Agent-AQTU (Avast) |
Short description
VBS/Satoban.A is a worm that spreads via shared folders and removable media. The worm tries to download and execute several files from the Internet.
Installation
When executed, the worm creates the following folders:
- %systemdrive%\Kernel
- %systemdrive%\Kernel\lpt1
- %systemdrive%\security
- %systemdrive%\security\lpt1
- %systemroot%\system32\system
- %systemroot%\system32\system\msg
The worm copies itself to the following locations:
- %systemdrive%\Kernel\r00t3er
- %systemdrive%\security\blood.dat
The %systemdrive%\Kernel, %systemdrive%\security folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.
The %systemdrive%\Kernel\r00t3er file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
The worm creates the following files:
- %allusersprofile%\rescue.vbe (1890 B, VBS/TrojanDownloader.Psyme.NJJ)
- %systemroot%\system32\system\svchost.exe (12 B)
- %systemroot%\system32\system\msg\config.txt (426 B)
- %temp%\tmp.vbe (2178 B, VBS/Satoban.A)
- %temp%\b.bat (2086 B, VBS/Satoban.A)
- %systemdrive%\security\system.vbs (123 B, VBS/Satoban.A)
The worm may create copies of the following files (source, destination):
- %systemroot%\system32\wscript.exe, %systemdrive%\security\svchost.exe
The worm executes the following commands:
- sc create system binPath= "%systemroot%\System32\system\svchost.exe msg" start= auto &
- net start system &
- sc description system " processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque d'etre endommagé. " &
- EXIT
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
- "rescue" = "%allusersprofile%\rescue.vbe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
- "Timeout" = 0
- [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\System]
- "DisableCMD" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableRegistryTools" = 0
- "DisableTaskMgr" = 0
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\sdate]
- "sdate" = "38"
- [HKEY_CLASSES_ROOT\Applications\Notepad2.exe\Shell\Open]
- "command" = "%systemroot%\System32\Notepad.exe"
- [HKEY_CLASSES_ROOT\Applications\notepad.exe\shell\open]
- "command" = "%systemroot%\System32\Notepad.exe"
- [HKEY_CLASSES_ROOT\Batfile\Shell\Edit\Command]
- "" = "%systemroot%\System32\Notepad.exe"
- [HKEY_CLASSES_ROOT\VBEFile\Shell\Edit\Command]
- "" = "%systemroot%\System32\Notepad.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
- "ShowSuperHidden" = 0
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System]
- "Type" = 16
- "Start" = 2
- "ErrorControl" = 1
- "ImagePath" = "%systemroot%\System32\system\svchost.exe msg"
- "ObjectName" = "LocalSystem"
- "Description" = " processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque d'etre endommagé. "
The worm may delete files stored in the following folders:
- %systemdrive%\Kernel
- %systemdrive%\security
Spreading
The worm searches for available local and removable drives. The worm may delete the following files:
- %drive%\*.vbe
- %drive%\*.lnk
- %drive%\config.dat
- %drive%\autorun.inf
- %drive%\microsoft.dat
The worm searches for the following folders:
- %drive%\*.*
The worm creates the following file:
- %drive%\%variable%.lnk
The name of the new file is based on the name of the folder found in the search.
The file is a shortcut to a malicious file.
The worm copies itself to the following location:
- %drive%\config.dat
The %drive%\config.dat file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
Spreading via shared folders
The worm searches for various shared folders.
The worm may delete the following files:
- %sharedfolder%\*.vbe
- %sharedfolder%\*.lnk
The worm creates the following files:
- %sharedfolder%\Mariage.lnk
The file is a shortcut to a malicious file.
The worm copies itself to the following location:
- %sharedfolder%\Update.dat
The %sharedfolder%\Update.dat file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.
Other information
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "ConsentPromptBehaviorAdmin" = 0
- "EnableLua" = 0
- [HKEY_CURRENT_USER\VBEFile\DefaultIcon]
- "" = "%systemroot%\system32\shell32.dll,1"
The worm may delete the following Registry entries:
- [HKEY_CLASSES_ROOT\lnkfile]
- "IsShortCut"
The worm may create the following files:
- %temp%\uac.bat (1904 B, VBS/Agent.NCF)
- %temp%\ADMIN.vbe (292 B, VBS/AutoRun.HX)
- %temp%\CPBA.bat (390 B, VBS/Satoban.A)
- %temp%\tp.vbe (175 B, VBS/AutoRun.HX)
- %temp%\tmp.bat (1108 B, VBS/Agent.NCF)
The worm may attempt to download files from the Internet. The worm contains a list of 7 URLs. The HTTP protocol is used.
These are stored in the following locations:
- %systemdrive%\security\system.txt
- %temp%\booter.dat
- %systemdrive%\kernel\explorer.jpg
- %systemdrive%\kernel\update.txt
The worm moves the following files (source, destination):
- %systemdrive%\security\system.txt, %systemdrive%\security\system.vbe
- %temp%\booter.dat, %temp%\reskp.exe
- %systemdrive%\security\system.txt, %systemdrive%\security\system.bat
- %systemdrive%\security\system.txt, %systemdrive%\security\system.exe
- %systemdrive%\kernel\explorer.jpg, %systemdrive%\kernel\explorer.exe
- %systemdrive%\kernel\update.txt, %systemdrive%\kernel\Update.exe
- %systemroot%\system32\drivers\flpydisk.sys, %systemroot%\system32\drivers\flpydisk.sy_
The worm creates copies of the following files (source, destination):
- %systemdrive%\kernel\*.vbe, %temp%
- %scriptpath%, %temp%
The following files are deleted:
- %systemdrive%\*.lnk
- %systemdrive%\autorun.inf
- %temp%\%scriptfile%
The worm may execute the following commands:
- cmd /K takeown /F %systemdrive%\kernel /A /R /D O &
- CACLS %systemdrive%\Kernel /E /T /C /G %username%:F &
- takeown /F %systemdrive%\security /A /R /D O &
- CACLS %systemdrive%\security /E /T /C /G %username%:F &
- takeown /F "%allusersprofile%\" /A /R /D O &
- takeown /a /f %systemroot%\System32\wscript.exe &
- ICACLS %systemroot%\System32\wscript.exe /Grant %username%:F &
- takeown /F "%systemroot%\system32\drivers" /A /R /D O &
- takeown /a /f %systemroot%\System32\drivers\flpydisk.sys &
- ICACLS %systemroot%\System32\drivers\flpydisk.sys /Grant %username%:F &
- takeown /F "%systemdrive%\system Volume Information" /A /R /D O &
- CACLS "%systemdrive%\system Volume Information" /E /T /C /G %username%:F &
- EXIT
- sc config TermService start= auto > nul
- svchost.exe /e:VBScript.Encode %systemdrive%\security\blood.dat
- cmd /K vssadmin delete shadows /all /quiet & cd/d "%systemdrive%\system volume Information" &
- del/f/s/q/a "%systemdrive%\system volume Information\*.*" &
- EXIT
- cmd /K md %systemroot%\system32\system &
- md %systemroot%\system32\system\msg &
- EXIT
- cmd /u /K ( @echo DisplayName=msg&@echo Description=Description&
- @echo ServiceType=272&
- echo WaitActive=0&
- @echo StartType=2&
- @echo ErrorControl=1&
- @echo Source=%systemdrive%\security\system.vbs&
- @echo ResetPeriod=0&
- @echo RebootMsg=&
- @echo Command=&
- @echo nActions=0&
- @ echo Actions=&
- @echo StartAtTime=OneTime) > %systemroot%\system32\system\msg\config.txt &
- EXIT
- cmd /K cd/d %systemroot%\system32\drivers &
- ren flpydisk.sys flpydisk.sy_ &
- del/f/q/s %systemdrive%\security\system.bat &
- del/f/q/s %systemdrive%\security\system.exe &
- del/f/q/s %systemdrive%\kernel\explorer.exe &
- del/f/q/s %systemdrive%\kernel\update.exe &
- del/f/q/s ""%temp%\reskp.exe"" &
- rd/q/s %systemdrive%\system32 &
- rd/q/s %systemdrive%\system &
- EXIT
- cmd /K del/f/q/A "%systemdrive%\security\*.dat" &
- xcopy /C /H /Y /R "%drive%\config.dat" "%systemdrive%\security" &
- attrib -s -h "%systemdrive%\security\*.*" &
- ren "%systemdrive%\security\*.*" blood.dat &
- EXIT
- cmd /K del/f/q/A "%systemdrive%\kernel\*.dat" &
- xcopy /C /H /Y /R "%drive%\config.dat" "%systemdrive%\kernel" &
- attrib -s -h "%systemdrive%\kernel\*.*" &
- ren "%systemdrive%\kernel\*.*" r00t3r &
- attrib +s +h "%systemdrive%\kernel\*.*" &
- EXIT
- cmd /K cd/d "%systemdrive%\security" &
- copy /b /y blood.dat + &
- EXIT
The worm removes system restore points.
It contains the following strings:
- '========================================================================================='
- '
- ' C0d3 N4me : S4T4n
- ' Cr34t0r : R4PTOR
- ' Created for personal use , modifications or others are not authorized
- ' For more informations, looking 4 me { - CNG4L on Race }
- '
- '========================================================================================='