Virus:Worm/VB.BV.4
Date discovered:12/03/2008
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:93.612 Bytes
MD5 checksum:0Bdddbd11165827f0C0A86b578ce5bef
VDF version:6.38.00.39
IVDF version:6.38.00.40 - Monday, March 12, 2007

 General Method of propagation:
   • Mapped network drives


Aliases:
   •  Mcafee: W32/USBCasv
   •  Kaspersky: Worm.Win32.VB.fp
   •  F-Secure: Worm.Win32.VB.fp
   •  Eset: Win32/VB.FP
   •  Bitdefender: Worm.Win32.VB.BV


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Uses its own Email engine
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %TEMPDIR%\s.exe
   • %SYSDIR%\odbcasvc.exe
   • %SYSDIR%\Recycled\INFO.EXE
   • %drive%:\Recycled\INFO.EXE


Archiving:
It creates archives and stores files in them.

The following directory is searched:
   • %WINDIR%\Microsoft.NET\Debug\Temp\

The following file type is payed attention to:
   • .log

The archives filename is the following:
   • %current date%_%current time%.uda



It copies the following files:
    •  %all directories%\*.doc into %WINDIR%\Microsoft.NET\Debug\Temp\%random character string%.log
    •  %all directories%\*.xls into %WINDIR%\Microsoft.NET\Debug\Temp\%random character string%.log
    •  %all directories%\*ppt into %WINDIR%\Microsoft.NET\Debug\Temp\%random character string%.log



The following files are created:

– Non malicious files:
   • %SYSDIR%\Recycled\desktop.ini
   • %drive%:\Recycled\desktop.ini

%SYSDIR%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%:\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%WINDIR%\uda.exe

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc]
   • Type = 10
   • Start = 2
   • ErrorControl = 1
   • ImagePath = %SYSDIR%\odbcasvc.EXE
   • DisplayName = ODBC Administration Service
   • ObjectName = LocalSystem
   • Description = Microsoft Data Access - ODBC Administration Service

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


Email design:
 


From: esmtp01@tom.com
To: esmtp01@tom.com
Subject: Spider%number%[%computer name%\%current username%]
Attachment:
   • current date%_%current time%.uda

The attachment is a copy of the created file: %WINDIR%\Microsoft.NET\Debug\Temp\%current date%_%current time%.uda

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Diaconescu on Wednesday, July 30, 2008
Description updated by Andrei Gherman on Thursday, July 31, 2008

Back . . . .