Double clicking a mapped drive in Windows Explorer launches "information.vbs" script worm identified as VBS.Runauto
Posted on 2008-10-29
One user running Windows XP SP3 with Symantec Antivirus Corporate Edition reported numerous detections and quarantines of the worm virus identified as VBS.Runauto. I have scanned all workstations and server drives and removed multiple instances.
The user who has local admin priviliges on the PC, when double clicking a mapped network drive, would get no response, then seconds later Symantec would report VBS.Runauto. The offending file is "information.vbs" and was then detected in the users home directory and on the local PC.
I then changed the users PC priviliges to "User" and this appears to prevent the propogation of the worm.
When the user now double clicks the mapped network drive a pop up appears called "Windows Script Host" and reports "Cannot find script file C:\windows.....etc\information.vbs"
What is causing this mapped drive to be hijacked? and how do I stop it?