Home / malwarePDF  

Worm:Win32/Visal.A


First posted on 23 August 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Visal.A is also known as Trojan.Win32.Swisyn.ajgd (Kaspersky), Win32/AutoRun.VB.SF (ESET), Trojan.Win32.Swisyn (Ikarus), W32/Autorun.worm.g (McAfee), WORM_AUTORUN.NAD (Trend Micro).

Explanation :

Worm:Win32/Visal.A is a worm written in Visual Basic. It drops copies of itself in drives C: to H:, as well as in folders with certain names. It may also arrive via spammed email messages. Worm:Win32/Visal.A modifies certain system policies, deletes files, and downloads arbitrary files, which may be detected as malware, from certain URLs.
Top

Worm:Win32/Visal.A is a worm written in Visual Basic. It drops copies of itself in drives C: to H:, as well as in folders with certain names. It may also arrive via spammed email messages. Worm:Win32/Visal.A modifies certain system policies, deletes files, and downloads arbitrary files, which may be detected as malware, from certain URLs. Installation Worm:Win32/Visal.A uses the icon of a PDF file to trick users into opening it. It also copies itself as the following files:

  • C:\N95_Image13022010.scr
  • C:\open.exe
  • %windir%\svchost.exe
  • It also creats the following autorun files that enable the worm copy "open.exe" to automatically run when the folder is accessed and Autorun is enabled:
  • C:\autorun.inf
  • %windir%\autorun.inf
  • %windir%\autorun2.inf
  • Worm:Win32/Visal.A modifies the system registry so that it is run when certain processes are debugged: Adds value: "Debugger" With data: "%windir%\svchost.exe" In subkeys: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry\<process name> where <process name> is any of the following: 00hoeav.com 0w.com 360rpt.exe 360safe.exe 360safebox.exe 360tray.exe 6.bat 6fnlpetp.exe 6x8be16.cmd a2cmd.exe a2free.exe a2service.exe a2upd.exe abk.bat adobe gamma loader.exe algsrvs.exe algssl.exe angry.bat anti-trojan.exe antiarp.exe antihost.exe ants.exe apu-0607g.xml apu.stt apvxdwin.exe arswp.exe ashdisp.exe ashenhcd.exe ashlogv.exe ashmaisv.exe ashpopwz.exe ashquick.exe ashserv.exe ashskpcc.exe ashupd.exe ashwebsv.exe ast.exe aswboot.exe aswregsvr.exe aswupdsv.exe autorun.bin autorun.exe autorun.ini autorun.reg autorun.txt autorun.wsh autorunkiller.exe autoruns.exe autorunsc.exe avadmin.exe avastss.exe avcenter.exe avciman.exe avconfig.exe avconsol.exe avengine.exe avgamsvr.exe avgas.exe avgcc.exe avgcc32.exe avgemc.exe avginet.exe avgnt.exe avgrssvc.exe avgrsx.exe avgscan.exe avgserv.exe avguard.exe avgupsvc.exe avgw.exe avgwdsvc.exe avltd.exe avmailc.exe avmonitor.exe avnotify.exe avp.com avp.exe avp32.exe avpcc.exe avpm.exe avscan.exe avzkrnl.dll bad1.exe bad2.exe bad3.exe bdagent.exe bdsubwiz.exe bdsurvey.exe biosread.exe blackd.exe blackice.exe caiss.exe caissdt.exe catcache.dat cauninst.exe cavapp.exe cavasm.exe cavaud.exe cavcmd.exe cavctx.exe Spreads via... Network shares Worm:Win32/Visal.A attempts to spread to other computers in the network. If it finds an accessible computer in the network, it attempts to copy the following files to drives C: to H:, if found, of that computer:
  • N73.Image12.03.2009.JPG.scr - copy of itself
  • autorun.inf - autorun file that allows the worm copy to automatically run when the drive is accessed and Autorun is enabled
  • It also creates a copy of itself as "N73.Image12.03.2009.JPG.scr" in shared folders with the following names:
  • Music
  • Print
  • NewFolder
  • Email Worm:Win32/Visal.A also spreads via spammed email messages. The email may have the following details: Body: Hello: This is The Document I told you about,you can find it Here.<link to worm copy> Please check it and reply as soon as possible. Cheers, Payload Deletes files Worm:Win32/Visal.A deletes the following files, if found: <system folder>\accwiz.exe <system folder>\actmovie.exe <system folder>\ahui.exe <system folder>\append.exe <system folder>\arp.exe <system folder>\asr_fmt.exe <system folder>\asr_ldm.exe <system folder>\asr_pfu.exe <system folder>\at.exe <system folder>\atmadm.exe <system folder>\attrib.exe <system folder>\auditusr.exe <system folder>\autochk.exe <system folder>\autoconv.exe <system folder>\autofmt.exe <system folder>\autolfn.exe <system folder>\blastcln.exe <system folder>\bootcfg.exe <system folder>\bootok.exe <system folder>\bootvrfy.exe <system folder>\cacls.exe <system folder>\calc.exe <system folder>\charmap.exe <system folder>\chkdsk.exe <system folder>\chkntfs.exe <system folder>\cidaemon.exe <system folder>\cipher.exe <system folder>\cisvc.exe <system folder>\ckcnv.exe <system folder>\clean_all.exe <system folder>\cleanmgr.exe <system folder>\cliconfg.exe <system folder>\clipbrd.exe <system folder>\clipsrv.exe <system folder>\cmdl32.exe <system folder>\cmmon32.exe <system folder>\cmstp.exe <system folder>\comp.exe <system folder>\compact.exe <system folder>\conime.exe <system folder>\control.exe <system folder>\convert.exe <system folder>\cscript.exe <system folder>\dcomcnfg.exe <system folder>\ddeshare.exe <system folder>\debug.exe <system folder>\defrag.exe <system folder>\dfrgfat.exe <system folder>\dfrgntfs.exe <system folder>\diantz.exe <system folder>\diskpart.exe <system folder>\diskperf.exe <system folder>\dllhst3g.exe <system folder>\dmadmin.exe <system folder>\dmremote.exe <system folder>\doskey.exe <system folder>\dosx.exe <system folder>\dplaysvr.exe <system folder>\dpnsvr.exe <system folder>\dpvsetup.exe <system folder>\driverquery.exe <system folder>\drwatson.exe <system folder>\drwtsn32.exe <system folder>\dumprep.exe <system folder>\dvdplay.exe <system folder>\dvdupgrd.exe <system folder>\dxdiag.exe <system folder>\edlin.exe <system folder>\esentutl.exe <system folder>\eudcedit.exe <system folder>\eventcreate.exe <system folder>\eventtriggers.exe <system folder>\eventvwr.exe <system folder>\exe2bin.exe <system folder>\expand.exe <system folder>\extrac32.exe <system folder>\fastopen.exe <system folder>\fc.exe <system folder>\find.exe <system folder>\findstr.exe <system folder>\finger.exe <system folder>\fixmapi.exe <system folder>\fltMc.exe <system folder>\fontview.exe <system folder>\forcedos.exe <system folder>\freecell.exe <system folder>\fsquirt.exe <system folder>\fsutil.exe <system folder>\ftp.exe <system folder>\gdi.exe <system folder>\gen_host.exe <system folder>\getmac.exe <system folder>\gpresult.exe <system folder>\gpupdate.exe <system folder>\grpconv.exe <system folder>\help.exe <system folder>\hostname.exe <system folder>\ie4uinit.exe <system folder>\iexpress.exe <system folder>\imapi.exe Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. Modifies system policies Worm:Win32/Visal.A modifies the following registry values:
  • Disables Least User Access (LUA):
  • Adds value: "EnableLUA" With data: "0x00000000" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Disables secure desktop prompting:
  • Adds value: "PromptOnSecureDesktop" With data: "0x00000000" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • Disables data redirection for interactive processes:
  • Adds value: "EnableVirtualization" With data: "0x00000000" In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Downloads arbitrary files Worm:Win32/Visal.A attempts to download files from the following URLs; these files may also be detected as malware:
  • members.lycos.co.uk
  • members.multimania.co.uk
  • www.sharedocuments.com


  • Analysis by Daniel Radu

    Last update 23 August 2010

     

    TOP