W32/VBSAuto-A

Category:	Viruses and Spyware	Protection available since:	02 Sep 2009 23:19:26 (GMT)
Type:	Win32 worm	Last Updated:	02 Sep 2009 23:19:26 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/VBSAuto-A is a worm for the Windows platform.

When the W32/VBSAuto-A is run, the following files are created:

<System>\regedit.sys
<Windows>\<randomname>.exe
<Root>\pagefiles.sys
<Root>\autorun.inf

The following registry entries are created to run regedit.sys and win.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
svchost
<Windows>\<randomname>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regdiit
<Windows>\<randomname>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CTFMON
<System>\wscript.exe /E:vbs <System>\regedit.sys

W32/VBSAuto-A disables security software by setting <WINDOWS>\<randomname>.exe as the Debugger for many program names. These entries have the form

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<path to security software>
Debugger
<Windows>\<randomname>.exe

W32/VBSAuto-A also disables the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
Start
0x00000004

Try Sophos products for free
Download now

W32/VBSAuto-A

Free Mac Anti-Virus

Popular topics