Content

VBS/Ritart.worm

Type
Virus
SubType
Internet Worm
Discovery Date
01/14/2008
Length
12,027 bytes
Minimum DAT
5206 (01/14/2008)
Updated DAT
5208 (01/15/2008)
Minimum Engine
5.1.00
Description Added
01/14/2008
Description Modified
01/14/2008 2:52 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

VBS/Ritart.worm is a worm written in the VisualBasic Scripting language, and tries to obfuscate its malicious strings using a basic cipher algorithm.

When run, it drops the following files:

  • C:\AutoRun.inf (Generic!atr)
  • C:\My data.bat (VBS/Ritart.worm!bat)
  • C:\My data.vbs (VBS/Ritart.worm)
  • C:\New File.vbs (VBS/Ritart.worm)

It goes on to search for the following filenames related to Microsoft Office and other applications. It follows to create a copy of itself, using existing filenames:

  • *.doc
  • *.docx
  • *.xls
  • *.xlsx
  • *.ppt
  • *.pptx
  • *.vbs
  • *.gif
  • *.bmp
  • *.jpg

In additional to spoofing existing documents, it modifies registry entries such that editing a *.vbs file result in the user logging off, *.vbs extensions are hidden and they display "Microsoft Word Document" description and icon as below:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\FriendlyTypeName: "Microsoft Word Document"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\NeverShowExt: ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon\: "C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe,1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\: "logoff.exe"

In the below diagram, all the files displaying the Microsoft Word Document icon are spoofed VBS/Ritart.worm script files:

It will also drop an Autorun.inf file and copies of itself as the following filename(s) in shared folders and removable media:

  • Girls.vbs
  • History.vbs
  • System.vbs
  • Tartule.vbs
  • Secret.vbs
  • Money.vbs
  • Readme.vbs
  • New File.vbs
  • My data.vbs

Other registry modifications to prevent specific system tools from running:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\: "logoff.exe"

It also removes existing program start up keys from the registry which needs to be restored to the original configuration:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

.. and adds the following registry key to hook system startup:

  • HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\ Run\Tartule: "%UserProfile%\Favorites\Tartule.lnk" (VBS/Ritart.worm!lnk)

(Where %UserProfile% is the Windows user profile folder, e.g. "C:\Documents and Settings\<USERNAME>")

Other administrator tools are disabled by the worm by modifying the following registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\system\DisableTaskMgr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoFileAssociate
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoFind
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoFolderOptions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System\DisableRegedit
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System\DisableCMD

 

Symptoms

  • Presence of the mentioned registry file(s)/key(s).
  • Presence of duplicated document filenames.
  • When running certain system tools, Notepad.exe opens instead of the expected tool.
  • When running certain programs, user logs out instead of the program opening.
  • Programs that usually starts up at system boot up, are not started.

 

Method of Infection

This worm can spread over shared folders and removable media.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection covers a worm written in the VB script language and can spread over shared folders and removable media.

Characteristics

Characteristics -

VBS/Ritart.worm is a worm written in the VisualBasic Scripting language, and tries to obfuscate its malicious strings using a basic cipher algorithm.

When run, it drops the following files:

  • C:\AutoRun.inf (Generic!atr)
  • C:\My data.bat (VBS/Ritart.worm!bat)
  • C:\My data.vbs (VBS/Ritart.worm)
  • C:\New File.vbs (VBS/Ritart.worm)

It goes on to search for the following filenames related to Microsoft Office and other applications. It follows to create a copy of itself, using existing filenames:

  • *.doc
  • *.docx
  • *.xls
  • *.xlsx
  • *.ppt
  • *.pptx
  • *.vbs
  • *.gif
  • *.bmp
  • *.jpg

In additional to spoofing existing documents, it modifies registry entries such that editing a *.vbs file result in the user logging off, *.vbs extensions are hidden and they display "Microsoft Word Document" description and icon as below:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\FriendlyTypeName: "Microsoft Word Document"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\NeverShowExt: ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon\: "C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0050048383C9}\wordicon.exe,1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\: "logoff.exe"

In the below diagram, all the files displaying the Microsoft Word Document icon are spoofed VBS/Ritart.worm script files:

It will also drop an Autorun.inf file and copies of itself as the following filename(s) in shared folders and removable media:

  • Girls.vbs
  • History.vbs
  • System.vbs
  • Tartule.vbs
  • Secret.vbs
  • Money.vbs
  • Readme.vbs
  • New File.vbs
  • My data.vbs

Other registry modifications to prevent specific system tools from running:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger: "Notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\: "logoff.exe"

It also removes existing program start up keys from the registry which needs to be restored to the original configuration:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

.. and adds the following registry key to hook system startup:

  • HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\ Run\Tartule: "%UserProfile%\Favorites\Tartule.lnk" (VBS/Ritart.worm!lnk)

(Where %UserProfile% is the Windows user profile folder, e.g. "C:\Documents and Settings\<USERNAME>")

Other administrator tools are disabled by the worm by modifying the following registry key(s):

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\policies\system\DisableTaskMgr
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoFileAssociate
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoFind
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\NoFolderOptions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System\DisableRegedit
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System\DisableCMD

 

Symptoms

Symptoms -

  • Presence of the mentioned registry file(s)/key(s).
  • Presence of duplicated document filenames.
  • When running certain system tools, Notepad.exe opens instead of the expected tool.
  • When running certain programs, user logs out instead of the program opening.
  • Programs that usually starts up at system boot up, are not started.

 

Method of Infection

Method of Infection -

This worm can spread over shared folders and removable media.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A