VBS/Pica [Threat Name] go to Threat

VBS/Pica.NAA [Threat Variant Name]

Category virus
Aliases Worm.VBS.Sasan.d (Kaspersky)
  Worm:VBS/Slows.A (Microsoft)
  VBS/Autorun.worm.k (McAfee)
  VBS.Solow (Symantec)
Short description

VBS/Pica.NAA is a virus that spreads by copying itself into certain folders.

Installation

The virus copies itself to the following locations:

  • %windir%\­.MS32DLL.dll.vbs
  • %windir%\­boot.ini

In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MS32DLL" = "%windir%\­.MS32DLL.dll.vbs"
    • "winboot" = "wscript.exe /E:vbs %windir%\­boot.ini"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Scripting Host\­Settings]
    • "Timeout" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "SuperHidden" = 1
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1
    • "Hidden" = 1
Spreading

The virus copies itself into the root folders of fixed and/or removable drives using the following name:

  • .MS32DLL.dll.vbs

The following file is dropped in the same folder:

  • autorun.inf

The AUTORUN.INF file contains the path to the malware executable.


Thus, the virus ensures it is started each time infected media is inserted into the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.