14 DAY TRIAL // Sophos warns that a new worm written in Visual Basic Script (VBS) masquerades as the widely known Windows Thumbnail Database, thumbs.db. By creating hundreds of copies of itself under this file name and others, the worm ensures its resiliency against removal attempts, researchers explain.
The worm, known as VBS/AutoRun-UC (Sophos alias), spreads to remote computers through removable media devices, where it copies itself. In order to infect other systems, the malicious application also creates an autorun.inf file to be executed by Windows AutoRun, a feature which is enabled by default on most systems.
The worm's behavior on the local system is particularly interesting. “It used a method of ensuring its persistence on the infected system that I had not come across before,” James Wyke, malware analyst for SophosLabs UK, writes, while referring to the fake thumbs.db files dropped onto the computer.
Thumbs.db file are created by Windows in folders containing graphic files, and is used for caching the thumbnails of those files if Windows Explorer is set to display folder thumbnails. The VBS worm also creates copies of itself under the name of database.mdb, another name that shouldn't necessarily raise suspicion, as it suggests a default Microsoft Access database file.
In addition, rogue .lnk files are dropped in each subdirectory of a folder, using the naming pattern [subdirectory].lnk that has the purpose of running the malware, if clicked. This increases “the likelihood of the Worm being executed again,” Mr. Wyke explains.
The worm ads a startup registry entry under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” named “Explorer,” with a value of: wscript.exe //e:VBScript “<currentdirectory>\database.mdb.” Wscript.exe is a legit file, which is known as the Windows Script Host, allowing the execution of various types of scripts. The //e:VBScript switch tells the Windows Script Host that it should use the VBScript engine to parse the database.mdb file.
People who do not require the AutoRun feature in Windows should disable it, as using removable drives is a propagation technique employed by many of today's threats. The U.S. Army was recently forced to ban the use of such devices from its networks, in order to contain a wide-spread infection. Meanwhile, system and network admins from all over the world are currently battling the Conficker.B worm, who has successfully infected an estimated 9 million systems. One of its propagation methods is also removable media.
In addition to disabling the AutoRun feature, users should be vigilant and only execute files that they are familiar with. “If you don’t know what it is, don’t click it,” James Wyke stresses.