Virus:Worm/VB.AT.1
Date discovered:03/08/2005
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low
Static file:Yes
File size:12.288 Bytes
MD5 checksum:85add335b75d9a6c44019f5ffdbf2b9a
VDF version:6.31.01.54

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Symantec: W32.Cabreck
   •  Mcafee: W32/CableNet.worm
   •  Kaspersky: Worm.Win32.VB.at
   •  TrendMicro: WORM_CABRECK.A
   •  Sophos: W32/Cablenet-A
   •  Grisoft: Worm/VB.DR
   •  VirusBuster: Worm.Cablenet.A
   •  Eset: Win32/VB.NCN
   •  Bitdefender: Win32.Cablenet.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification

 Files A section is added to a file.
– To: %WINDIR%\win.ini With the following contents:
   • [CopyRight]
     Author= Gabe
     Name= Cable
     Origin= India
     Type= Netwreck Worm
     Credicts= [Cable] By Gabe (Gabe Roq's Inc.)
     Warning= Amazing things will happen, you just wait...
     Note= Your Death is comming...Anticipation afterall is everything!
     SignNote= Because Death is only the beginning...
     Quote= For those who believe no explanation is necessary, for those who don't nothing will suffice.




The following file is created:

%WINDIR%\Cable.ini This is a non malicious text file with the following content:
   • [CopyRight]
     Author= Gabe
     Name= Cable
     Origin= India
     Type= Netwreck Worm
     Credicts= [Cable] By Gabe (Gabe Roq's Inc.)
     Warning= Amazing things will happen, you just wait...
     Note= Your Death is comming...Anticipation afterall is everything!
     SignNote= Because Death is only the beginning...
     Quote= For those who believe no explanation is necessary, for those who don't nothing will suffice.

 Registry The following registry key is added in order to run the process after reboot:

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   • "run"="Cable.exe"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directories:
   • %system drive root%
   • c:\windows

It searches for all shared directories.

   If successful, the following files are created:
   • Cable.exe; FileCryptor.exe; Microsoft SP4.exe; Acrobat Reader.exe;
      Setup.exe; NAI Mcafee.exe; Norton AV.exe; PGP Free.exe; Password
      recovery.exe; KazzaP2P.exe; Download accelerator.exe; Linux
      Source.exe; Winzip.exe; Lotus app.exe; Netscape.exe; Money Manger.exe;
      Paypal.exe; FixMydoom.exe; BillSux.exe; MorpheusP2P.exe; E_donkey.exe;
      Calvin and Hobbes.exe

   These files are copies of the malware itself.



The shared directory might look like the following:


 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Irina Boldea on Tuesday, May 16, 2006
Description updated by Irina Boldea on Tuesday, May 16, 2006

Back . . . .