Full description

Virus:	Worm/Agent.184320
Date discovered:	10/10/2006
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium
Damage Potential:	Low to medium
Static file:	Yes
File size:	298.528 Bytes
MD5 checksum:	8a1b5f56799b7bcc1751055e93c933a8
VDF version:	6.36.01.54
IVDF version:	6.36.01.57 - Monday, November 20, 2006

General Method of propagation:
   • Email

Aliases:
   • Kaspersky: Virus.Win32.VB.bp
   • TrendMicro: WORM_VB.BOE
   • Sophos: W32/Rungbu-B

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP

Side effects:
   • Drops a file
   • Drops a malicious file
   • Registry modification

Right after execution it runs a windows application which will display the following window:

Files It copies itself to the following locations:
   • C:\lsass.exe
   • %SYSDIR%\dllhost.com
   • %WINDIR%\setup\dllhost.com
   • %HOME%\My Documents\Rated R Pictures.com
   • %WINDIR%\lsass.exe.exe
   • %WINDIR%\AutoRun.ini
   • %WINDIR%\MsWord.exe
   • %PROGRAM FILES%\philconst.exe
   • %WINDIR%\Downloaded Program Files\philconst.exe
   • %deleted file%.scr

It creates the following directory:
   • %HOME%\My Documents\Rated R Pictures

It deletes files that contain one of the following substring:
   • .doc
   • .rtf

The following files are created:

– Non malicious files:
   • %malware executiondirectory%\%executed file%.doc
   • %WINDIR%\OUTSETTN.REG

– %PROGRAM FILES%\microsoft frontpage\outlook.vbs Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: HEUR/Worm.Outlook.VBS

Registry The following registry keys are added in order to run the processes after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run
   • @="%SYSDIR%\dllhost.com"

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • @="\lsass.exe"
   • "WinRun"="%WINDIR%\AutoRun.ini"

The following registry keys are added:

– HKCR\datfile\shell\open\command
   • @="\"%WINDIR%\setup\dllhost.com\" %1"

– KEY_CLASSES_ROOT\artfile\shell\open\command
   • @="\"%WINDIR%\setup\dllhost.com\" %1"

– HKCR\piffile\shell\open\command
   • @="\"%WINDIR%\setup\dllhost.com\" %1"

– HKCR\AVIFile\shell\open\command
   • @="\"%WINDIR%\setup\dllhost.com\" %1"

– HKCR\exefile
   • "NeverShowExt"=""

– HKCR\scrfile
   • @="Microsoft Word Document"
   • "NeverShowExt"=""

– HKCR\batfile
   • "NeverShowExt"=""

– HKCR\comfile
   • @="File Folder"

– HKCR\comfile\DefaultIcon
   • @=%SystemRoot%\System32\shell32.dll,3

– HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\MSCrusher
   • "command"="shutdown -s -f -t 0"
   • "hkey"="HKCR"
   • "inimapping"="0"
   • "item"="Shutdowm"
   • "key"="batfile\\shell\\edit\\command"

– HKLM\SOFTWARE\Microsoft\Windows\System\DarkAngel
   • "Expiration-Bug"="3011"

– HKCR\batfile\shell\edit\command
   • @="shutdown -s -f -t 0"

– HKCR\inifile\shell\open\command
   • @="%1" %*"

– HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
   • "ActiveTimeBias"=dword:ffffff88

The following registry keys are changed:

Various Explorer settings:
– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   Old value:
   • "NoFolderOptions"=dword:00000000
   • "NoRun"=dword:00000000
   New value:
   • "NoFolderOptions"=dword:00000001
   • "NoRun"=dword:00000001

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
   New value:
   • "CheckedValue"=dword:00000001

Disable Regedit and Task Manager:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
   Old value:
   • "DisableRegistryTools"=dword:00000000
   New value:
   • "DisableRegistryTools"=dword:00000001

Email From:
The sender address is the user's Outlook account.

To:
– Email addresses gathered from WAB (Windows Address Book)

Subject:
The following:
• Read my letter for you

Body:
The body of the email is the following:
• this was created from the deep inside my heart.

Attachment:

The attachment is a copy of the malware itself.

Process termination List of processes that are terminated:
   • explorer.exe; avgctrl.exe; avgamsvr.exe; avgserv.exe; avginet.exe;
      avgupsvc.exe; avgemc.exe; avgnt.exe; avgregcl.exe; avgserv9.exe;
      avgw.exe; alogserv.exe; avsynmgr.exe; Mpfsheild.exe; MpfAgent.exe;
      mpf.exe; MpfConsole.exe; mcagent.exe; mcappins.exe; McDash.exe;
      mcdetect.exe; mcinfo.exe; mcmnhdlr.exe; mcshield.exe; mctskshd.exe;
      mcupdate.exe; mcvsescn.exe; mcvsshld.exe; mcvsftsn.exe; mcvsrte.exe;
      vstskmgr.exe; vsmain.exe; vshwin32.exe; pccpfw.exe; pccclient.exe;
      pcclient.exe; pccguide.exe; pccnt.exe; pccntmon.exe; pccntupd.exe;
      PcCtlCom.exe; pcscan.exe; avpm.exe; avpcc.exe; kav.exe; kavmm.exe;
      kavsvc.exe; AVENGINE.EXE; nisserv.exe; NISUM.exe; Navapsvc.exe;
      NMain.exe; Navapw32.exe; VetMsg.exe; VetTray.exe; Vet32.exe;
      VetNT.exe; vsmon.exe; zlclient.exe; zapro.exe; zonealarm.exe;
      APVXDWIN.EXE; AVLITE.EXE; AVLTMAIN.EXE; AVTASK.EXE; LUPGCONF.EXE;
      PAVSRV51.EXE; PavPrSrv.exe

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Bogdan Iliuta on Wednesday, November 8, 2006
Description updated by Bogdan Iliuta on Wednesday, November 22, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools