Solutions Buy Download Information Partners Support Forum About us «Doctor Web» company news (RSS channel)
VBS.Igidak

(Generic component, Trojan.BAT.Autorun.A, Trojan.VBS.Autorun.I, VBS/Aurun.A, VBS/Generic, VBS/Small.K, VBS_AUTORUN.A, Virus.Win32.Small.k)

Virus type: Worm, written in Visual Basic Script

Affected OS: Win95/98/Me/2000/XP

Filesize: 1 368

Packed by: -

Technical description

  • When launched it creates the folowing files in the Windows system directory:

    AUTORUN.FCB
    Autorun.ico
    Autorun.~ex
    autorun.txt
    autorun.inf_被屏蔽木马
    autorun.inf
    autorun.reg
    Autorun.ini
    autorun.bat
    autorun.vbs
    autorun.wsh
    autorun.bin
    autorun.srm
    Autorun.exe

  • autorun.inf_?????, autorun.inf, autorun.bat, autorun.vbs are the files that impose the actual threat. The files have been added to Dr.Web virus database as VBS.Igidak

  • File autorun.reg modifies some of Windows registry keys,:it disables disaply of hidden files in Windows Explorer and adds the worm to autorun list so it is launched on Windows start-up.

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Userinit"="userinit.exe,autorun.bat"

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    "ShowSuperHidden"=dword:00000000

  • The worm copies itself to all drives (including external and network drives) available on an infected machine.

    • System recovery information

    1. Download a free curing Dr.Web CureIt! utility from an uninfected machine.
    2..Disconnect the infected computer(s) from Local area network or from the Internet.
    3. Enable display hidden and system files in any file manager.
    4. Use Dr.Web CureIt! to scan all drives. Use "Cure" option for all detected objects. Be sure to scan all external drives for VBS.Igidak Apply "Cure" option to all detected objects.
    5. Add the following keys to the registry to restore it.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    "Userinit"="userinit.exe"

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    "ShowSuperHidden"=dword:00000001

    In you need to check the following registry kes for server versions of Windows::

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    "ValueName"="ShowSuperHidden"

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
    \Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden
    @=""

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
    "ShowSuperHidden"=dword:00000001

    HKEY_USERS\S-1-5-21-1718174493-3167834097-4179402766-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    "ShowSuperHidden"=dword:00000001

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{41a44c3f-ccb0-11db-a16f-00112f178ee0}\Shell\open\Command
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39f78d75-f271-11db-835a-00112f178ee0}\Shell\open\Command

    6. Delete the following files manually:

    AUTORUN.FCB
    Autorun.ico
    Autorun.~ex
    autorun.txt
    autorun.reg
    Autorun.ini
    autorun.wsh
    autorun.bin
    autorun.srm
    Autorun.exe

       Information



       My five cents
     
    What is the screen size of your monitor?

    12''
    14''
    15''
    17''
    19''
    more than 19''
    other


    Doctor Web, Ltd. © 2008 Doctor Web, Ltd. - a Russian company developing and distributing Dr.Web® Anti-virus solutions.
    Our customers can be found among home users from all regions of the world and in large enterprises, small companies and nationwide corporations. We thank all of them for support and long-term devotion to our product. State certificates and awards received by the Dr.Web Anti-virus, as well as the geography of our users are the best evidence of exceptional trust to the products created by the talented Russian programmers.