Home / malware Win32.Worm.VB.Ymeak.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.VB.Ymeak.A.
Explanation :
This is a worm that spreads itself via peer-to-peer file sharing networks, dropping a backdoor identified by BitDefender as Backdoor.RBot.CMQ. It has a file size of 236,136 bytes.
The first time it is run, it displays the following message to make the user believe it is a setup file downloaded with errors:
After displaying the message, it copies itself to the All Users' startup folder (usually C:Documents and SettingsAll UsersStart MenuProgramsStartup) as svchost.exe, and launches itself from that new location.
The original instance ends its execution at this point.
When launched from the afore mentioned (Startup) folder, it checks if the %system% (usually C:WindowsSystem32) folder contains any of the following files: winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe or p2pnetwork.exe.
These are all file names used by the RBot trojan. If it can't find any of them, it assumes the RBot trojan is not present so it dropps it into the Windows folder as b.exe and runs it.
To spread itself, it collects random application names from certain torrent and direct download sites.
It then places itself in the shared folder of five common P2P file sharing software (listed below) using the previousely collected names, in a subfolder called "_" (underscore).
At regular intervals it looks for the executable files of the file sharing programs Limewire, Shareaza, Bearshare, Morpheus and Morpheus Ultra and launches them.
To protect itself from being discovered, it opens the following files (requesting exclusive access): cmd.exe, netstat.exe, tracert.exe, ping.exe, ipconfig.exe, taskkill.exe, regedt32.exe and taskmgr.exe from the %system% folder and regedit.exe from the %windir% folder.
It keeps them open while it is active, so they can not be executed.Last update 21 November 2011
