Virus:Worm/VB.CA.1
Date discovered:04/08/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:No
File size:~35.000 Bytes
VDF version:6.35.01.46 - Friday, August 4, 2006
IVDF version:6.35.01.46 - Friday, August 4, 2006

 General Method of propagation:
   • Peer to Peer


Aliases:
   •  Kaspersky: Email-Worm.Win32.VB.ca
   •  Bitdefender: Win32.Worm.P2P.VB.L


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Registry modification


Right after execution it runs a windows application which will display the following window:


 Files  It copies itself to the following locations. Those files have random bytes appended so they may differ from the original one:
   • %SYSDIR%\SVCH0ST.EXE
   • %SYSDIR%\wincirl.com
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.com
   • %HOME%\Start Menu\Programs\Startup\Empty.com
   • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\%computer name%.exe
   • %TEMPDIR%\%computer name%.EXE
   • %drive%:\%computer name%.EXE
   • %malware execution directory%\%computer name%.exe

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "Microsoft Agent"="%SYSDIR%\SVCH0ST.exe"



The following registry keys are changed:

– HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
   Old value:
   • "load"=""
   New value:
   • "load"="C:\WINDOWS/system/wincirl.com"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe C:\WINDOWS/system32/SVCH0ST.EXE"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directory:
   • %malware execution directory%\%all subdirectories%

   If successful, the following file is created:
   • %current directory name%.exe

   These files are copies of the malware itself.

 Process termination Processes containing one of the following window titles are terminated:
   • task manager; registry; system restore; folder options; configuration;
      cmd.exe; virus; yahoo; system32; utility; format


 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • PECompact 2

Description inserted by Teodor Onisor on Wednesday, August 9, 2006
Description updated by Teodor Onisor on Thursday, August 10, 2006

Back . . . .