Full description

Virus:	Worm/VB.DW
Date discovered:	16/02/2006
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Medium
Static file:	Yes
File size:	210.432 Bytes
MD5 checksum:	b420a430d733a3a1d8b27e71f78590e1
VDF version:	6.33.01.01

General Method of propagation:
   • Peer to Peer

Aliases:
   • Kaspersky: P2P-Worm.Win32.VB.dw
   • Bitdefender: Trojan.Dropper.G

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification

Right after execution the following information is displayed:

   %internet resource used by malware%:

   • www.torrentz.com
   • www.download.com
   • www.mininova.com

Files It copies itself to the following locations:
   • %PROGRAM FILES%\outlook\outlook.exe
   • %PROGRAM FILES%\outlook\v.tmp

It copies itself within an archive to the following location:
   • %PROGRAM FILES%\outlook\p.zip

It overwrites the following files.
– %SYSDIR%\netstat.exe
– %SYSDIR%\ping.exe
– %SYSDIR%\tracert.exe
– %SYSDIR%\tasklist.exe
– %SYSDIR%\taskkill.exe
– %SYSDIR%\regedit.exe
– %SYSDIR%\cmd.exe

The following files are created:

– Non malicious file:
   • %SYSDIR%\bszip.dll

– %system drive root%\onoes.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: Worm/RBot.174080

It tries to execute the following files:

– Filenames:
   • %PROGRAM FILES%\LimeWire\LimeWire.exe
   • %PROGRAM FILES%\Morpheus\morpheus.exe
   • %PROGRAM FILES%\Morpheus Ultra\morpheus.exe
   • %PROGRAM FILES%\BearShare\BearShare.exe
   • %PROGRAM FILES%\Shareaza\Shareaza.exe

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• outlook = %PROGRAM FILES%\outlook\outlook.exe /auto

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:

– It searches for the following directories:
   • %BearShare's shared folder%
   • %LimeWire's shared folder%
   • %Morpheus' shared folder%
   • %Morpheus Ultra's shared folder%
   • %Shareaza's shared folder%

   If successful, the following files are created:
   • %BearShare's shared folder%\Shared\%gathered from the internet%.zip
   • %LimeWire's shared folder%\Shared\%gathered from the internet%.zip
   • %Morpheus' shared folder%\Shared\%gathered from the internet%.zip
   • %Morpheus Ultra's shared folder%\Shared\%gathered from the internet%.zip
   • %Shareaza's shared folder%\Shared\%gathered from the internet%.zip

   The archive contains a copy of the malware inside.

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX

Description inserted by Andrei Gherman on Wednesday, April 12, 2006
Description updated by Andrei Gherman on Wednesday, April 12, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools