Virus:Worm/VB.aki.2
Date discovered:02/04/2009
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:High
Static file:Yes
File size:130.560 Bytes
MD5 checksum:344774e20fe14520c282e8531c47a64c
IVDF version:7.01.03.04 - Thursday, April 2, 2009

 General Method of propagation:
• Autorun feature


Aliases:
   •  Mcafee: W32/Autorun.worm.gen virus
   •  Sophos: W32/Autorun-APK
   •  Panda: W32/VB.AER.worm
   •  Eset: Win32/VB.NQP
   •  Bitdefender: Worm.Generic.47242


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops malicious files
   • Registry modification




   Creates thousands of files in subdirectories until there is no more space on harddisk.
   The size of the files ranges from ~20kB - ~200kB.
   Uses random generated names with an extension from the following list:
    sys
    com
    ini
    bin
    inf
    dll
    ocx
    dat
    bas
    cat
    res
    cfg
    mp3
    doc
    txt
    hlp
    ax
    dot

 Files It copies itself to the following locations:
   • %WINDIR%\acroread.exe
   • %drive%\usbdrv.exe



It deletes the following files:
   • C:\ntldr
   • C:\NTDETECT.COM
   • C:\boot.ini



The following files are created:

%drive%\sys.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Adobe Reader"="%WINDIR%\acroread.exe"

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Monday, November 16, 2009
Description updated by Petre Galan on Monday, November 16, 2009

Back . . . .