Threat behavior
Worm:VBS/Autorun.AL is a worm that spreads via removable and fixed drives.
Installation
When executed, Worm:VBS/Autorun.AL copies itself to <system folder>\SecureGuard.vbs and modifies the following registry entry to execute this copy at each system reboot:
Sets value: "Userinit"
With data: "<system folder>\userinit.exe, <system folder>\wscript.exe <system folder>\SecureGuard.vbs"
To subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Spreads Via…
Removable and Fixed Drives
Worm:VBS/Autorun.AL copies itself as ProtectFile.vbs to the root of all accessible drives apart from A: drive. It then writes an autorun configuration file named 'autorun.inf' pointing to ProtectFile.vbs. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
Should this particular instance of the script be running from the System directory, the drive infection mechanism takes place in a loop, with a 10 second sleep after every iteration.
If this instance of the script isn't being run from the System directory, the malware invokes the "Eject" verb on all drives that are mapped as network shares.
Analysis by Dan Kurc
Prevention