Virus:Worm/VB.BY.3
Date discovered:04/07/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:35.176 Bytes
MD5 checksum:72ac420Cef8d898ab1a66c5d79ce7d6b
VDF version:6.35.00.115
IVDF version:6.35.00.141 - Monday, July 10, 2006

 General Methods of propagation:
   • Email
   • Peer to Peer


Aliases:
   •  Mcafee: W32/MoonLight.worm
   •  Kaspersky: Email-Worm.Win32.VB.by
   •  TrendMicro: WORM_BRONTOK.AH
   •  VirusBuster: I-Worm.VB.WEI
   •  Eset: Win32/NoonLight.F
   •  Bitdefender: Worm.Spawner.VB.BY


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Uses its own Email engine
   • Lowers security settings
   • Records keystrokes
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\%number%.exe
   • %SYSDIR%\X%number%go\Z%number%cie.cmd
   • %HOME%\Templates\%number%Z\TUX%number%.exe
   • %HOME%\Start Menu\Programs\startup\sql.cmd
   • %WINDIR%\M%number%\Ja%number%bLay.com
   • %WINDIR%\Ti%number%ta.exe
   • %WINDIR%\sa-%number%.exe
   • %WINDIR%\M%number%\smss.exe
   • %WINDIR%\M%number%\EmangEloh.exe
   • %HOME%\Templates\%number%Z\winlogon.exe
   • %HOME%\Templates\%number%Z\service.exe



The following file is created:

%SYSDIR%\msvbvm60.dll

 Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "T%number%"="%WINDIR%\sa-%number%.exe"

– HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "T%number%"="%SYSDIR%\%number%.exe"



The values of the following registry keys are removed:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • ADie suka kamu
   • Bron-Spizaetus-cfirltrx
   • Bron-Spizaetus
   • Bron-Spizaetus-cgglmmrv
   • dkernel
   • lexplorer
   • YourUnintendes
   • YourUnintended
   • TryingToSpeak

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • SaTRio ADie X
   • Tok-Cirrhatus-1101
   • MomentEverComes
   • AllMyBallance
   • Tok-Cirrhatus



The following registry keys are added:

– HKCU\Software\VB and VBA Program Settings\noGods

– HKCU\Software\VB and VBA Program Settings\noGods\appActive
   • "winlogon.exe"="£¸ð"
   • "EmangEloh.exe"="i~¶Q"
   • "smss.exe"="r"
   • "service.exe"="²ê"

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe
   • debugger"="%WINDIR%\notepad.exe"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe
   • "debugger"="%WINDIR%\notepad.exe"

– HKCU\Software\VB and VBA Program Settings\untukmu\version
   • "me"="4"

– HKCR\scrfile
   • "(Default)"="File Folder"



The following registry keys are changed:

– HKLM\SYSTEM\ControlSet002\Control\SafeBoot
   Old value:
   • "AlternateShell"="cmd.exe"
   New value:
   • "AlternateShell"="%number%.exe"

– HKLM\SYSTEM\ControlSet001\Control\SafeBoot
   Old value:
   • "AlternateShell"="cmd.exe"
   New value:
   • "AlternateShell"="%number%.exe"

Deactivate Windows Firewall:
– HKLM\SYSTEM\ControlSet001\Services\SharedAccess
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000000

– HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
   Old value:
   • "ShowSuperHidden"=%user defined settings%
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   New value:
   • "ShowSuperHidden"=dword:00000000
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Old value:
   • "DisableRegistryTools"=dword:00000000
   New value:
   • "DisableRegistryTools"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Userinit"="%SYSDIR%\userinit.exe"
   • "Shell"="explorer.exe"
   New value:
   • "Userinit"="%SYSDIR%\userinit.exe , "%WINDIR%\M%number%\Ja%numberbLay.com""
   • "Shell"="explorer.exe, "C:\Documents and Settings\cda101\Templates\O%number%Z\TuxO%number%Z.exe""

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • Tolong Aku..
   • Tolong
   • hi please see this file
   • hey Indonesian porn Tiara lestari pic's
   • Registration Confirmation
   • Cek This
   • hello
   • RE:bla bla bla
   • RE:HeLLO GuYs



Body:
The body of the email is one of the lines:
   • please read again what i have written to you
   • thank's for you register your acount details are attached
   • Aku Mencari Wanita yang aku Cintai
   • dan cara menggunakan email mass
   • ini adalah cara terakhirku ,di lampiran ini terdapat
   • foto dan data Wanita tsb Thank's
   • NB:Mohon di teruskan kesahabat anda
   • aku mahasiswa Bsi Margonda smt 3
   • yah aku sedang membutuhkan pekerjaan
   • oh ya aku tahu anda dr milis ilmu komputer
   • di lampiran ini terdapat curriculum vittae dan foto saya
   • password lampiran 55132098
   • For security reasons attached file is password protected. The password is 55132098
The body of the email is the following:

   • free screen saver romance for you.
      Please Visit Our Web Site
     http://www.moonLight.com


Attachment:
The filename of the attachment is one of the following:
   • curriculum vittae.zip
   • USE_RAR_To_Extract.ace
   • ZIPPED.zip
   • FILEATTACH.bz2
   • Doc.gz
   • file.bz2
   • thisfile.gz
   • TITTA'S Picture.jar

The attachment is an archive containing a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • txt
   • tml
   • asp
   • wab
   • eml
   • doc
   • php
   • rtf


Address generation for FROM field:
To generate addresses it uses the following strings:
   • B4bb1cool; mansonisme; Yoseph2000; 12050075; CoolMan; BabbyBear;
      Jagung-Bakar; MooNLight; Rita; sasUK3; Davis; Titta; Anata; Emily;
      HellSpawn; Lia; Fria; admin; SaZZA; BInaSarana; JuwitaNingrum;
      HackersMinds



Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • bank; bront; dengines; Friendster; login; mcafee; MoonMail; norman;
      norton; novell; panda; sensasi; sophos; suport; Syman; Trend; vaksin;
      virus; xxx; yahoogroup; yourdomain; yoursite; yyyy


Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • smtp.
   • mail.
   • ns1.
   • mx1.
   • mail1.
   • mx.
   • mxs.
   • relay.
   • gate.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


   It searches for directories that contain one of the following substrings:
   • upload
   • share
   • download

   If successful, the following files are created:
   • TutoriaL HAcking%empty spaces%.exe
   • Lagu - Server%empty spaces%.scr
   • Data DosenKu%empty spaces%.exe
   • Titip Folder Jangan DiHapus%empty spaces%.exe
   • Love Song%empty spaces%.scr
   • New mp3 BaraT !!%empty spaces%.exe
   • THe Best Ungu%empty spaces%.scr
   • Blink 182%empty spaces%.exe
   • Norman virus Control 5.18%empty spaces%.exe
   • download%empty spaces%.scr
   • Gallery%empty spaces%.scr
   • RaHasIA%empty spaces%.exe

   These files are copies of the malware itself.

 Backdoor Contact server:
The following:
   • http://www.apasajalah.host.sk/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Collected information described in stealing section

 Stealing     • Keystrokes

 Miscellaneous String:
Furthermore it contains the following strings:
   • :: The NewMoonLight ::
   • Created by HeLLsPAwn A.K.A B4bb1cool
   • (c) 2006 Depok ~ Indonesia

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Boldea on Thursday, August 10, 2006
Description updated by Irina Boldea on Friday, August 11, 2006

Back . . . .