Thumbing a Lift

I was analysing a cheeky little Visual Basic Script Worm the other day, and noticed that it used a method of ensuring its persistence on the infected system that I had not come across before.

VBS/AutoRun-UC copies itself using the filename Thumb.db, clearly designed to fool the unwary into believing it is the commonly found and harmless file Thumbs.db that Windows uses to cache thumbnails of pictures when using Explorer.

The Worm litters the filesystem with these Thumb.db copies of itself (sometimes using database.db, another seemingly innocuous filename), adding to the illusion that this is a perfectly normal system file that has every right to be on the system.

To increase the likelihood of the Worm being executed again, for each subdirectory in a folder e.g. “My Music” and “My Pictures” in “My Documents”, a .lnk file is created, e.g .”My Pictures.lnk”, that when double clicked will run the Worm.

An autorun.inf file and accompanying Thumb.db are also dropped to any removable drives unlucky enough to be attached to the system, enabling Thumb.db files to thumb themselves a free lift onto new systems far away.

Fortunately, preventing this kind of infection in the first place is just as easy: If you don’t know what it is, don’t click it.