Sophos Detected a New Worm Written in Visual Basic Script
Security company, Sophos, has cautioned users about a new computer worm present in Visual Basic Script (VBS). Security researchers added that the worm disguises as the famous Windows Thumbnail Database or thumbs.db and createss several copies of itself under this file name and others to escape removal procedures.
The worm, called VBS/AutoRun-UC, circulates to remote systems via removable media devices like USB, where it copies itself. For infecting other systems, the malicious application also develops an autorun.inf file to be operated by Windows AutoRun, a feature enabled by default on many systems.
Further, the worm's behavior on the local system is very interesting. malware Analyst for SophosLabs, UK, James Wyke, said that it used a technique of enabling its persistence on the infected system that he has never encountered before, as reported by Sofypedia on January 19, 2008.
Security experts at Sophos further disclosed that thumbs.db file is made by Windows in folders with graphic files. This file is used for caching the thumbnails of those files if Windows Explorer displays folder thumbnails. The worm litters the files with thumb.db copies of itself (sometimes it makes use of database.db, another innocuous filename), which ensures that it is a normal and usual system file.
James Wyke explains that to increase the chances of Worm operates again and again, every subdirectory in a folder like "My Pictures" and "My Music", and an .lnk file made like "My Pictures.lnk" runs the harmful application on clicking.
Researchers recommended that users should disable the AutoRun application in Windows to avoid falling victim of this worm. The reason is simple because this worm uses removable drives to propagate, leading to the emergence of many threats.
Moreover, for disabling the AutoRun feature in Windows, users should be cautious and only operate known files. Wyke suggest that do not click on anything unknown.
Related article: Spike in Attacks Causes Early Release of Windows Patch
» SPAMfighter News - 30-01-2009