Virus:Worm/VB.CM.16
Date discovered:08/08/2006
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:265.647 Bytes
MD5 checksum:d446896360493dccba3463482ec11a4f
VDF version:6.35.01.62 - Tuesday, August 8, 2006
IVDF version:6.35.01.62 - Tuesday, August 8, 2006

 General Methods of propagation:
   • Local network
   • Peer to Peer


Aliases:
   •  Kaspersky: P2P-Worm.Win32.VB.cm
   •  Bitdefender: Win32.Worm.VB.CE


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops a malicious file
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\ircbot.exe



It overwrites the following files.
– \\%computers in current domain%\%network shares%\%all subdirectories%\

File extension:
   • exe

With the following contents:
   • %executed file%




It copies the following files:
    •  \\%computers in current domain%\%network shares%\%all subdirectories%\*.exe into \\%computers in current domain%\%network shares%\%all subdirectories%\*.exe.bak



It deletes the initially executed copy of itself.



The following files are created:

– Non malicious file:
   • %SYSDIR%\Mswinsck.ocx

%malware execution directory%\Kill.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.
%WINDIR%\Lvcomx.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Drp.VB.CJ.4

%WINDIR%\infect.bat

 Registry The following registry key is added:

– [HKLM\SOFTWARE\ProductName\ProductID]

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directories:
   • %PROGRAM FILES%\Kazaa Lite\My Shared Folder\
   • %PROGRAM FILES%\LimeWire\Shared\
   • %PROGRAM FILES%\BearShare\Shared\
   • %PROGRAM FILES%\Morpheus\My Shared Folder\
   • %PROGRAM FILES%\Grokster\My Grokster\

   It retrieves the shared folder by querying the following registry key:
   • HKLM\SOFTWARE\Kazaa\LocalContent\DownloadDir

   If successful, the following files are created:
   • VB6+Crack.zip.exe
   • (Hot)CamStrip.mpg.exe
   • TrojanScanPro.exe
   • (Hot)sex ,f**k ,a**l ,wet p***y ,f**ked hard ,de*****oat ,blo**ob ,phat a** ,a** f**k.mpg.exe
   • WoW - World of Warcraft FULL + crack.exe
   • Half Life 2 cd key generator + Crack.exe
   • Britney spears - In the zone FULL ALBUM.zip.exe
   • Windows Longhorn full + crack.exe
   • Jenna jameson hard d***y style s*x.avi.exe
   • TJenna jameson hard d***y style s*x.avi.exe

   These files are copies of the malware itself.

 IRC Spreading:
It tries to locate the mIRC installation directory. It searches through the following paths:
   • %system drive root%\mirc
   • %system drive root%\mirc32

– It creates a file called script.ini in order to spread a copy of itself via IRC.

 Miscellaneous Internet connection:

It queries with the name:
   • www.google.com

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Daniel Constantin on Thursday, August 10, 2006
Description updated by Daniel Constantin on Monday, August 14, 2006

Back . . . .