Full description

Virus:	Worm/VB.BV.4
Date discovered:	12/03/2008
Type:	Worm
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Low to medium
Damage Potential:	Medium
Static file:	Yes
File size:	93.612 Bytes
MD5 checksum:	0Bdddbd11165827f0C0A86b578ce5bef
VDF version:	6.38.00.39
IVDF version:	6.38.00.40 - Monday, March 12, 2007

General Method of propagation:
   • Mapped network drives

Aliases:
   • Mcafee: W32/USBCasv
   • Kaspersky: Worm.Win32.VB.fp
   • F-Secure: Worm.Win32.VB.fp
   • Eset: Win32/VB.FP
   • Bitdefender: Worm.Win32.VB.BV

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Uses its own Email engine
   • Registry modification
   • Steals information

Files It copies itself to the following locations:
   • %TEMPDIR%\s.exe
   • %SYSDIR%\odbcasvc.exe
   • %SYSDIR%\Recycled\INFO.EXE
   • %drive%:\Recycled\INFO.EXE

Archiving:
It creates archives and stores files in them.

The following directory is searched:
   • %WINDIR%\Microsoft.NET\Debug\Temp\

The following file type is payed attention to:
   • .log

The archives filename is the following:
   • %current date%_%current time%.uda

It copies the following files:
    • %all directories%\*.doc into %WINDIR%\Microsoft.NET\Debug\Temp\%random character string%.log
    • %all directories%\*.xls into %WINDIR%\Microsoft.NET\Debug\Temp\%random character string%.log
    • %all directories%\*ppt into %WINDIR%\Microsoft.NET\Debug\Temp\%random character string%.log

The following files are created:

– Non malicious files:
   • %SYSDIR%\Recycled\desktop.ini
   • %drive%:\Recycled\desktop.ini

– %SYSDIR%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %drive%:\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

– %WINDIR%\uda.exe

Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc]
   • Type = 10
   • Start = 2
   • ErrorControl = 1
   • ImagePath = %SYSDIR%\odbcasvc.EXE
   • DisplayName = ODBC Administration Service
   • ObjectName = LocalSystem
   • Description = Microsoft Data Access - ODBC Administration Service

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

Email design:

From: esmtp01@tom.com
To: esmtp01@tom.com
Subject: Spider%number%[%computer name%\%current username%]
Attachment:
• current date%_%current time%.uda

The attachment is a copy of the created file: %WINDIR%\Microsoft.NET\Debug\Temp\%current date%_%current time%.uda

File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Irina Diaconescu on Wednesday, July 30, 2008
Description updated by Andrei Gherman on Thursday, July 31, 2008

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools