Full description

Virus:	Worm/VB.BS.2
Date discovered:	27/04/2006
Type:	Worm
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Medium to high
Damage Potential:	Low to medium
Static file:	Yes
File size:	43.520 Bytes
MD5 checksum:	818de564a30f64e39c7f6142605ebcfb
VDF version:	6.34.01.16 - Thursday, April 27, 2006
IVDF version:	6.34.01.16 - Thursday, April 27, 2006

General Method of propagation:
   • Email
   • Peer to Peer

Aliases:
   • Kaspersky: Email-Worm.Win32.VB.bs
   • F-Secure: Email-Worm.Win32.VB.bs
   • Sophos: W32/Bobandy-G
   • Grisoft: I-Worm/VB.LG
   • Eset: Win32/NoonLight.A
   • Bitdefender: Win32.Moonlight.C@mm

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Drops files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

Files It copies itself to the following locations:
   • %WINDIR%\JAVA\CLASES\BIN\service.exe
   • %SYSDIR%\APPLOG\Sys\smss.exe
   • %SYSDIR%\run32dll.exe
   • %WINDIR%\Systask.exe
   • %SYSDIR%\dllcache\S-1-5-21-3407528163-1890605801-2494157004-500_Classes\MSOWCF.cmd
   • %WINDIR%\Brico.cmd
   • %WINDIR%\command.com
   • %SYSDIR%\remotesp.cmd
   • %SYSDIR%\MySqld-nt.cmd
   • %HOME%\Start Menu\Programs\startup\MySqld-nt Start.cmd
   • %WINDIR%\COMMAND\SETRAMD.cmd

It creates the following directories:
   • %WINDIR%\JAVA\CLASES\BIN
   • %WINDIR%\COMMAND

The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\~%hex values%.tmp

– C:\D4nc1ng_in_the_M0oNLighT.txt This is a non malicious text file with the following content:
   • |------------------------------|
     | Im Alone, Where Is God ?? |
     | i'm Trapped This World |
     | No one's there |
     | YOu StiLL Hurt Me , Why |
     | in The Moon Light ... |
     | i'll ... die .... |
     | I can'T WaiT Tomorrow |
     | is so much to Long |
     | GoodBye Sickness |
     |------------------------------|

– %HOME%\My Documents\M_o_0_n_L_i_g_h_T.txt This is a non malicious text file with the following content:
   • ----------------+-[W32/Moonlight]-+----------
     Created 3-2006 ,Depok City Indonesia,
     Greet's to MyMom,DeathKnight,PsHmV,Retro,
     Alco,LanElitta,An4k2MI***mrg


     |by HellSpawn|
     ---------------------------------------------

– %HOME%\My Documents\iLOVEHErLAN_ELLITTA.txt This is a non malicious text file with the following content:
   • --------------------------------------------
     |Ta GW Masih Di DEpok, GW jg Blom nikah ko |
     |itu semua cm Gosip ko, gw kuliah di *** |
     |MarGonda.. |
     |By KK Loe |
     --------------------------------------------

– %SYSDIR%\winup\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
– C:\cmd.bat

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ObjectDockZX"="%WINDIR%\Brico.cmd"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "MooNlightNeverDie"="%SYSDIR%\MySqld-nt.cmd"

The values of the following registry keys are removed:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Tok-Cirrhatus"
   • "AllMyBallance"
   • "MomentEverComes"
   • "Tok-Cirrhatus-1101"
   • "SaTRio ADie X"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TryingToSpeak"
   • "YourUnintended"
   • "YourUnintendes"
   • "lexplorer"
   • "dkernel"
   • "chaaya bulan"
   • "Bron-Spizaetus-cgglmmrv"
   • "Bron-Spizaetus"
   • "Bron-Spizaetus-cfirltrx"
   • "ADie suka kamu"

The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\msconfig.exe]
   • "debugger"="%SYSDIR%\remotesp.cmd"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
   Image File Execution Options\regedit.exe]
   • "debugger"="%WINDIR%\command.com"

– [HKCU\Software\VB and VBA Program Settings]
– [HKCU\Software\VB and VBA Program Settings\noGods]
– [HKCU\Software\VB and VBA Program Settings\noGods\appActive]
   • "service.exe"="7LN{8Y"
   • "smss.exe"="xÅa½yG:"

– [HKCU\Software\VB and VBA Program Settings\untukmu\version]
   • "me"="2"

The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined values%
   • "HideFileExt"=%user defined values%
   • "ShowSuperHidden"=%user defined values%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • "NoFolderOptions"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
   Folder\SuperHidden]
   Old value:
   • "UncheckedValue"=dword:00000001
   New value:
   • "UncheckedValue"=dword:00000000

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="explorer.exe, "%WINDIR%\COMMAND\SETRAMD.cmd""

Deactivate Windows Firewall:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
   Old value:
   • "Start"=%user defined settings%
   New value:
   • "Start"=dword:00000000

– [HKLM\SYSTEM\ControlSet%number%\Control\SafeBoot]
   New value:
   • "AlternateShell"="cmd.exe"

– [HKCR\scrfile]
   Old value:
   • @="Screen Saver"
   New value:
   • @="File Folder"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   User Shell Folders]
   New value:
   • "Common Startup"="%SYSDIR%\dllcache\S-1-5-21-3407528163-1890605801-2494157004-500_Classes"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is spoofed.
Generated addresses. Please do not assume that it was the sender's intention to send this email to you. He might not know about his infection or might not even be infected at all. Furthermore it is possible that you will receive bounced emails telling you that you are infected. This might also not be the case.

To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)

Subject:
One of the following:
   • Tolong Aku..
   • Tolong
   • Registration Confirmation
   • Cek This
   • hello
   • RE:bla bla bla
   • RE:HeLLO GuYs

Body:
The body of the email is one of the following:

   • hi please see this file

   • hot babe high quality porn

   • free screen saver romance for you

   • Please Visit Our Web Site:http://www.moonLight.com

   • hey free brontok, small_kl & more removal

   • thank's for you register
     your acount details are attached

   • Aku Mencari Wanita yang aku Cintai
     dan cara menggunakan email mass
     Rita

   • ini adalah cara terakhirku ,di lampiran ini terdapat
     foto dan data Wanita tsb Thank's

   • NB:Mohon di teruskan kesahabat anda
     password lampiran 55132098

   • aku mahasiswa Bsi Margonda smt 3

   • yah aku sedang membutuhkan pekerjaan

   • oh ya aku tahu anda dr milis ilmu komputer

   • di lampiran ini terdapat curriculum vittae dan foto saya

Sometimes continued by one of the following:

   • For security reasons attached file is password protected.
     The password is 55132098

Attachment:
The filename of the attachment is one of the following:
   • mypic.zip
   • dataKU.ace
   • attach.zip
   • Update.bz2
   • Doc.gz
   • file.bz2
   • thisfile.gz
   • pic.jar

The attachment is an archive containing a copy of the malware itself.

Mailing Search addresses:
It searches the following files for email addresses:
   • html; xls; mdb; doc; rtf; php"; pps; ppt; txt; tml; asp; wab; eml

Address generation for FROM field:
To generate addresses it uses the following strings:
   • B4bb1cool; SpawN; jojo; mansonisme; Yoseph2000; 12050075; CoolMan;
      BabbyBear; Jagung-Bakar; MooNLight; Juwita; Davis; Titta; Anata;
      Emily; HellSpawn; Lia; Fria; admin; SaZZA; BInaSarana; Shit;
      JuwitaNingrum; HackersMinds; telkom; astaga; boleh; PLASA; indo;
      warung; gaul; id

Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • microsoft; .l; htm; rar; zip; www.; ..; virus; suport; MoonMail;
      yoursite; yourdomain; norton; panda; mcafee; Syman; sophos; Trend;
      vaksin; novell

Prepend MX strings:
In order to get the IP address of the mail server it has the ability to prepend the following strings to the domain name:
   • ns1.
   • mx1.
   • mail1.
   • mail.
   • mx.
   • ns.
   • smtp.
   • relay.
   • gate.

P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It searches for directories that contain one of the following substrings:
   • documen
   • oad
   • shar
   • upload
   • Pictu
   • ambar
   • dokumen

   If successful, the following files are created:
   • Gallery%empty spaces%.scr
   • Blink 182%empty spaces%.scr
   • Windows Vista setup%empty spaces%.scr
   • Data DosenKu%empty spaces%.scr
   • Titip Folder Jangan DiHapus%empty spaces%.scr
   • Love Song%empty spaces%.scr
   • New mp3 BaraT !!%empty spaces%.scr
   • THe Best Ungu%empty spaces%.scr
   • Norman virus Control 5.18%empty spaces%.scr
   • TutoriaL HAcking%empty spaces%.scr
   • Lagu - Server%empty spaces%.scr
   • RaHasIA%empty spaces%.scr

   These files are copies of the malware itself.

Process termination Processes with one of the following strings are terminated:
   • dengines
   • command
   • cleaner
   • access
   • kill box
   • regis
   • config
   • sensasi
   • cmd
   • hijack

Processes containing one of the following window titles are terminated:
   • zonEALARM
   • Startup control
   • filewalker
   • ProceXP
   • system Mechanic
   • OfficeSystem
   • Freeze

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• PECompact

Description inserted by Adriana Popa on Tuesday, January 9, 2007
Description updated by Adriana Popa on Tuesday, January 9, 2007

Back . . . .