Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Double clicking a mapped drive in Windows Explorer launches "information.vbs" script worm identified as VBS.Runauto

Posted on 2008-10-29
6
Medium Priority
?
863 Views
Last Modified: 2013-12-09
One user running Windows XP SP3 with Symantec Antivirus Corporate Edition reported numerous detections and quarantines of the worm virus identified as VBS.Runauto.  I have scanned all workstations and server drives and removed multiple instances.

The user who has local admin priviliges on the PC, when double clicking a mapped network drive, would get no response, then seconds later Symantec would report VBS.Runauto.  The offending file is "information.vbs" and was then detected in the users home directory and on the local PC.

I then changed the users PC priviliges to "User" and this appears to prevent the propogation of the worm.

When the user now double clicks the mapped network drive a pop up appears called "Windows Script Host" and reports "Cannot find script file C:\windows.....etc\information.vbs"

What is causing this mapped drive to be hijacked? and how do I stop it?

Ed
0
Comment
Question by:Ed_B
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 1

Expert Comment

by:Blademonkey
ID: 22837425
i found this on da googletubes:

"Description:
VBS.Runauto is a malicious Visual Basic script that spread by copying itself in the root folder of compromised computer and removable media.
 
Technical Name: W32/VBS.RunAuto
 
Threat Level: Low
 
Type: Worm
 
Systems Affected: Windows All


VBS.Runauto removal procedure requires technical know-how on  computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer if modifications on Services and Registry have to be done.
 
HOW TO REMOVE VBS.Runauto :
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Update the virus definitions.
3. Reboot computer in SafeMode [how to]
4. Run a full system scan and clean/delete all infected files
5. Delete any values added to the registry. [how to edit registry]
Navigate to and delete the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\"autorun" = "autorun.exe"

Navigate to and restore registry entries to their original values, if necessary:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\"Userinit" = "userinit.exe,autorun.bat"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\"ShowSuperHidden" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\"Hidden" = "2"
 
6. Exit registry editor and restart the computer.
7. In order to make sure that the threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner."

Source: http://www.precisesecurity.com/computer-virus/vbsra-mar0713.htm

I cut and pasted the text because there's alot of ads.  follow the steps and see if that helps.
0
 

Author Comment

by:Ed_B
ID: 22837507
Thanks for that. I had seen the worm description on the Symantec web however the registry entries aren't appearing as described.

My question relates to the hijacking of the mapped drive icons in windows explorer, which attempt to  launch a .vbs file.

Ed
0
 
LVL 1

Accepted Solution

by:
Blademonkey earned 2000 total points
ID: 22837537
perhaps there's an autorun.inf or autorun.ini on that mapped drive/volume.  it may be hidden (by attribute or by windows explorer hidding system files).
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 1

Expert Comment

by:Blademonkey
ID: 22837555
more specifically i think your "nodrivetypeautorun" setting is set to recognize autorun files on mapped network shares.

this is how this was enabled.  I hope this answers your question

http://articles.techrepublic.com.com/5100-22_11-5108199.html

0
 

Author Comment

by:Ed_B
ID: 22837814
Further examination has found that some shared drives have two files called information.vbs and autorun.inf

Autorun.inf contents shown below:

forgiveme
[autorun]
open=wscript.exe information.vbs
shell\open\Command=wscript.exe information.vbs
shell\find\Command=wscript.exe information.vbs
shell\open\default=1

Our virus scanner will detect and quarantine the files, however they keep reappearing.
How do I stop this?
0
 

Author Closing Comment

by:Ed_B
ID: 31511502
Thanks Blademonkey,  The autorun.inf file was the start of the problem. After investigating this further I now understand what was happening.
Many thanks,
Ed
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question