Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

VBS/Butsur.A

Aliases:Worm.VBS.Solow.b (Kaspersky), Worm:VBS/Slogod.C (Microsoft), VBS/Solow.A (F-Prot) 
Type of infiltration:Worm  
Size:3642 B 
Affected platforms:Microsoft Windows 
Signature database version:5111 (20100513) 

Short description

VBS/Butsur.A is a worm that spreads by copying itself into certain folders.

Installation

When executed, the worm copies itself into the following location:
  • %windir%MS32DLL.dll.vbs
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "MS32DLL" = "%windir%MS32DLL.dll.vbs"
The following Registry entries are created:
  • [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
    Main]
    "Window Title" = "Hacked by Godzilla"

Spreading

The worm copies itself into the root folders of fixed and/or removable drives using the following filename:
  • MS32DLL.dll.vbs
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm launches the following processes:
  • explorer.exe