Virus:W32/Vasor.A
Date discovered:28/07/2009
Type:File infector
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:No
File size:~100.000 Bytes
IVDF version:7.01.05.39 - Tuesday, July 28, 2009

 General Method of propagation:
   • Infects files


Aliases:
   •  Symantec: W32.Vasor
   •  Mcafee: W32/Vasor.a
   •  Kaspersky: Worm.Win32.Vasor.17400
   •  VirusBuster: Worm.Vasor.A
   •  Eset: Win32/Vasor.B
   •  Bitdefender: Win32.Vasor.A


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Infects files
   • Lowers security settings
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %TEMPDIR%\svchost.exe

 File infection Infector type:

Appender - The virus main code is added at the end of the infected file.
– The following sections are added:
   • NLDR
   • NEXE


Stealth:
 No stealth techinques used. It modifies the OEP (Original Entry Point) of the infected file to point to the virus code.


Method:

This memory-resistent infector remains active in memory.


Infection length:

Approximately 100.000 Bytes


The following files are infected:

By file type:
   • *.exe

Files in any of the following directories:
   • %all directories%

 Registry It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%TEMPDIR%\svchost.exe"="%TEMPDIR%\svchost.exe:*:Enabled:Krosavcheg"

 Backdoor The following port is opened:

%TEMPDIR%\svchost.exe on TCP port 27150 in order to provide backdoor capabilities.

 Miscellaneous Network shares:
The following network share will be created:
   • vTask$


 File details Programming language:
 The malware program was written in MS Visual C++.

Description inserted by Daniel Constantin on Friday, February 12, 2010
Description updated by Daniel Constantin on Monday, February 15, 2010

Back . . . .