Virus:W32/Vetor.I
Date discovered:24/11/2008
Type:File infector
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:No
File size:47.579 Bytes
IVDF version:7.01.00.127 - Monday, November 24, 2008

 General Aliases:
   •  Mcafee: W32/Caveduck
   •  Kaspersky: Virus.Win32.Agent.cb
   •  F-Secure: Virus.Win32.Agent.cb
   •  Sophos: W32/Vetor-I
   •  Eset: Win32/Delf.NAP


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

 Files It copies itself to the following location:
   • %SYSDIR%\%executed file%

 Registry The following registry keys are added in order to load the service after reboot:

– [HKLM\SYSTEM\ControlSet001\Enum\Root\
   LEGACY_~%random character string%~]
   • "NextInstance"=dword:00000001

– [HKLM\SYSTEM\ControlSet001\Enum\Root\
   LEGACY_~%random character string%~\0000]
   • "Service"="~%random character string%~"
     "Legacy"=dword:00000001
     "ConfigFlags"=dword:00000000
     "Class"="LegacyDriver"
     "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
     "DeviceDesc"="~%random character string%~"

– [HKLM\SYSTEM\ControlSet001\Enum\Root\
   LEGACY_~%random character string%~\0000\Control]
   • "*NewlyCreated*"=dword:00000000
     "ActiveService"="~%random character string%~"

– [HKLM\SYSTEM\ControlSet001\Services\
   ~%random character string%~]
   • "Type"=dword:00000110
     "Start"=dword:00000002
     "ErrorControl"=dword:00000000
     "ImagePath"=%hex values%
     "DisplayName"="~%random character string%~"
     "ObjectName"="LocalSystem"

– [HKLM\SYSTEM\ControlSet001\Services\
   ~%random character string%~\Security]
   • "Security"=%hex values%

– [HKLM\SYSTEM\ControlSet001\Services\
   ~%random character string%~\Enum]
   • "0"="Root\\LEGACY_~%random character string%~\\0000"
     "Count"=dword:00000001
     "NextInstance"=dword:00000001

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
The last section of the file is modified to include the virus code.


Stealth:
 No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

- 47579 Bytes


Ignores files that:

Are smaller than: 100.000 Bytes


The following files are infected:

By file type:
   • *.exe,*.scr

Files in any of the following directories:
   • %all directories%

 Miscellaneous Mutex:
It creates the following Mutex:
   • ~%random character string%~

 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Daniel Constantin on Monday, February 1, 2010
Description updated by Daniel Constantin on Tuesday, February 2, 2010

Back . . . .