Remove VBS.Runauto.F

Posted on: May 21st, 2009


Discovered: May 19, 2009
Updated:

May 19, 2009 6:32:42 PM
Type:

Worm
Systems Affected:

Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
Recommended Action:
In order to Remove VBS.Runauto.F you need to Download the ‘No Adware’ remover software. Based on our testing this was the best peforming remover of VBS.Runauto.F ..

No Adware Review

Technical Details:

Once executed, the worm copies itself as the following files:

* %System%\winjpg.jpg
* %SystemDrive%\winfile.jpg

The worm also creates the following file so that it executes whenever %System
Drive% is accessed:
%SystemDrive%\autorun.inf

It then drops a back door component as the following file:
%System%\winxp.exe

The worm creates the following registry entry, so that it runs every time
Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"CTFMON" = "%System%\wscript.exe /E:vbs %System%\
winjpg.jpg"

The worm creates the following registry entries, so that the back door runs
once Windows has been restarted:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"regdiit" = "%System%\winxp.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run\"abu salem" = "43 00 3A 00 5C 00 57 00 49 00 4E 00 44 00
4F 00 57 00 53 00 5C 00 73 00 79 00 73 00 74 00 65 00 6D 00 33 00 32
00 5C 00 77 00 69 00 6E 00 78 00 70 00 2E 00 65 00 78 00 65 00"

The worm then modifies the following registry entries, so that the worm runs
instead of the requested applications:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\dwwinxp.exe\"Debugger" = "%System%\
winxp.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\MSConfig.exe\"Debugger" = "%System%\
wscript.exe /E:vbs %System%\winjpg.jpg"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\procexp.exe\"Debugger" = "\winxp.exe"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Image File Execution Options\rstrui.exe\"Debugger" = "%System%\
wscript.exe /E:vbs %System%\winjpg.jpg"

It also modifies the following registry entries to lower security settings:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host
\Settings\"Enabled" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"Anti
VirusOverride" = "1"
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "1"
* HKEY_USERS\S-1-5-21-1110976373-127614085-1323839693-500\
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"No
DriveTypeAutoRun" = "0"

The worm also spreads by copying itself to all removable drives as the following
file:
%DriveLetter%\winfile.jpg

The worm also creates the following file on all removable drives so that it executes
whenever the drive is accessed:
%DriveLetter%\autorun.inf
Action Steps:
FREE SCAN: NoAdware can Remove VBS.Runauto.F. Click the link below for your free download & scan your PC now.

Please click here for manual removal instructions.

Posted on Thursday, May 21st, 2009 at 6:50 pm - filed under Blog, Worm.