Home / malware Worm:Win32/VBDrivecop.A
First posted on 07 October 2014.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/VBDrivecop.A.
Explanation :
Threat behavior
Installation
Worm:Win32/VBDrivecop.A copies itself to c:\documents and settings\administrator\rundll20.exe. The malware changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "System"
With data: "c:\documents and settings\administrator\rundll20.exe" The malware creates the following files on your PC:
- c:\contactos.exe
Spreads via€¦
Removable and network drives
Worm:Win32/VBDrivecop.A can create the following files on targeted drives:
:\contactos.exe
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Payload
Contacts remote host
Worm:Win32/VBDrivecop.A might contact a remote host at alc.dvrdns.org using port 1016. Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 37320c4895e91514c28122a9e73caadf1d7b5133.Symptoms
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\contactos.exe
c:\documents and settings\administrator\rundll20.exe
- You see these entries or keys in your registry:
Sets value: "System"
With data: "c:\documents and settings\administrator\rundll20.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunLast update 07 October 2014