Virus:Worm/VB.DW
Date discovered:16/02/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:210.432 Bytes
MD5 checksum:b420a430d733a3a1d8b27e71f78590e1
VDF version:6.33.01.01

 General Method of propagation:
   • Peer to Peer


Aliases:
   •  Kaspersky: P2P-Worm.Win32.VB.dw
   •  Bitdefender: Trojan.Dropper.G


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification


Right after execution the following information is displayed:





   %internet resource used by malware%:
   
   • www.torrentz.com
   • www.download.com
   • www.mininova.com

 Files It copies itself to the following locations:
   • %PROGRAM FILES%\outlook\outlook.exe
   • %PROGRAM FILES%\outlook\v.tmp



It copies itself within an archive to the following location:
   • %PROGRAM FILES%\outlook\p.zip



It overwrites the following files.
%SYSDIR%\netstat.exe
%SYSDIR%\ping.exe
%SYSDIR%\tracert.exe
%SYSDIR%\tasklist.exe
%SYSDIR%\taskkill.exe
%SYSDIR%\regedit.exe
%SYSDIR%\cmd.exe



The following files are created:

– Non malicious file:
   • %SYSDIR%\bszip.dll

%system drive root%\onoes.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/RBot.174080




It tries to execute the following files:

– Filenames:
   • %PROGRAM FILES%\LimeWire\LimeWire.exe
   • %PROGRAM FILES%\Morpheus\morpheus.exe
   • %PROGRAM FILES%\Morpheus Ultra\morpheus.exe
   • %PROGRAM FILES%\BearShare\BearShare.exe
   • %PROGRAM FILES%\Shareaza\Shareaza.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • outlook = %PROGRAM FILES%\outlook\outlook.exe /auto

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directories:
   • %BearShare's shared folder%
   • %LimeWire's shared folder%
   • %Morpheus' shared folder%
   • %Morpheus Ultra's shared folder%
   • %Shareaza's shared folder%

   If successful, the following files are created:
   • %BearShare's shared folder%\Shared\%gathered from the internet%.zip
   • %LimeWire's shared folder%\Shared\%gathered from the internet%.zip
   • %Morpheus' shared folder%\Shared\%gathered from the internet%.zip
   • %Morpheus Ultra's shared folder%\Shared\%gathered from the internet%.zip
   • %Shareaza's shared folder%\Shared\%gathered from the internet%.zip

   The archive contains a copy of the malware inside.

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Gherman on Wednesday, April 12, 2006
Description updated by Andrei Gherman on Wednesday, April 12, 2006

Back . . . .