VBS/Butsur.A is a worm that spreads by copying itself into certain folders.
When executed, the worm copies itself into the following location:
In order to be executed on every system start, the worm sets the following Registry entry:
"MS32DLL" = "%windir%MS32DLL.dll.vbs"
The following Registry entries are created:
- [HKEY_CURRENT_USERSoftwareMicrosoftInternet Explorer
"Window Title" = "Hacked by Godzilla"
The worm copies itself into the root folders of fixed and/or removable drives using the following filename:
The following file is dropped in the same folder:
Thus, the worm ensures it is started each time infected media is inserted into the computer.
The worm launches the following processes: