VBS.Invadesys.B
What is VBS.Invadesys.B?
VBS.Invadesys.B is a .VBS worm that spreads by creating a copy on all fixed, mapped and removable drives that were connected to infected computer. VBS.Invadesys.B uses Alternate Data Stream (ADS) feature of the NTFS file system to hide its code inside the legitimate explorer.exe and smss.exe executable files.
| Type | Worm |
| Sub-Type | Downloader |
| Aliases | |
| OS Affected | Windows |
| Detected By | Symantec |
What are the Symptoms of VBS.Invadesys.B Infection?
It will add the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Windows\”Ver” = “[WINDOWS VERSION]“
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Windows\”Date” = “[DATE OF INFECTION]“
It will modify the registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chmfile\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command\”Default” = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] %1 %* “
- HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command\ = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] OMC “
- HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\explore\command\ = “%SystemRoot%\System32\WScript.exe %Windir%\[explorer.exe:.vbs OR .vbs] EMC “
The threat will drop the following malicious files:
- %Windir%\explorer.exe
- %System%\smss.exe
How to Remove VBS.Invadesys.B Manually
1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode
2. Remove Registry entries that the threat added. Revert back changes to registry entries. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entries mentioned above and delete/revert back if necessary
3. Delete malicious files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the files.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.
4. Scan computer with Antivirus Program
- Update antivirus program
- Scan computer and delete all detected threats.
