VBS/Autorun-AYI

Category: Viruses and SpywareProtection available since:27 Jan 2010 10:13:01 (GMT)
Type: Visual Basic Script wormLast Updated:27 Jan 2010 10:13:01 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

VBS/Autorun-AYI is a worm that spreads via USB keys via autorun.inf.

When VBS/Autorun-AYI is installed the following files are created:

<System>\hivie.vbe
<Windows>\antivirus.vbe

The following registry entry is created to run antivirus.vbe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
<Windows>\antivirus.vbe

The following registry entry is changed to run hivie.vbe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\wscript.exe <System>\hivie.vbe

VBS/Autorun-AYI changes settings for Microsoft Internet Explorer by modifying values under:

HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page

The following registry entries are set, disabling system software:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0x00000001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0x00000001

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
0x00000001

Registry entries are created under:

HKCU\Software\Microsoft\Windows Script Host