Virus:Worm/Fontra.C
Date discovered:09/02/2007
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:~400.000 Bytes
VDF version:6.37.01.61 - Friday, February 9, 2007
IVDF version:6.37.01.61 - Friday, February 9, 2007

 General Method of propagation:
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Vbbot
   •  Kaspersky: Virus.Win32.Fontra.c
   •  F-Secure: Virus.Win32.Fontra.c
   •  Sophos: W32/Fontra-F
   •  Grisoft: Worm/Delf.ATB
   •  Eset: Win32/VB.NJQ

It was previously detected as:
   •  TR/Dldr.Fontra.C.1


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops a malicious file


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\dllhost.exe
   • %PROGRAM FILES%\setup.exe
   • %PROGRAM FILES%\Track_03.exe
   • %PROGRAM FILES%\Video.exe



It copies itself within archives to the following locations:
   • %PROGRAM FILES%\a.zip
   • %PROGRAM FILES%\b.zip
   • %PROGRAM FILES%\c.zip



It creates the following directories:
   • %BearShare's shared folder%\_
   • %LimeWire's shared folder%\_
   • %Morpheus' shared folder%\_
   • %Shareaza's shared folder%\_



The following files are created:

– Non malicious files:
   • %PROGRAM FILES%\A.ico
   • %PROGRAM FILES%\B.ico
   • %SYSDIR%\vbzip10.dll

%PROGRAM FILES%\uy.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/Dldr.Fontra.C.2




It tries to executes the following files:

– Filename:
   • %PROGRAM FILES%\bearshare\bearshare.exe


– Filename:
   • %PROGRAM FILES%\limewire\limewire.exe


– Filename:
   • %PROGRAM FILES%\morpheus\morpheus.exe


– Filename:
   • %PROGRAM FILES%\shareaza\shareaza.exe

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directories:
   • %BearShare's shared folder%\_
   • %LimeWire's shared folder%\_
   • %Morpheus' shared folder%\_
   • %Shareaza's shared folder%\_

   If successful, the following file is created:
   • %random character string%.zip

   The archive contains a copy of the malware inside.



The shared directory might look like the following:


 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Andrei Gherman on Wednesday, March 28, 2007
Description updated by Andrei Gherman on Wednesday, March 28, 2007

Back . . . .