Home / malware

PDF

Worm:Win32/VB.CB

First posted on 23 March 2019.
Source: Microsoft

Aliases :

Worm:Win32/VB.CB is also known as Win32/Olala.worm.57344, W32/Sillyworm.WH, IM-Worm.Win32.VB.ln, W32/VBWorm.MVK, Worm.VB.DWCR, Worm/VB.APS, Worm/VB.EV.6, Worm.Generic.24677, Win32/Dolagun.I, Win32.HLLW.Siggen.241, Win32/VB.NJO, IM-Worm.Win32.VB, W32/Autorun.worm.h, Found virus :W32/CogDuni.C.worm, Worm.VB.aew, W32/VB-DGA, IM-Worm.Win32.VB.ev, W32.Imaut.AS, WORM_VB.GMM more.

Explanation :

Worm:Win32/VB.CB is a worm that attempts to spread via Yahoo! Messenger. It may also connect to a remote server to download arbitrary files.

Installation

When executed, Worm:Win32/VB.CB may drop itself to the following locations:

%windir%dc.exe %windir%sviq.exe %windir%helpother.exe %windir%infother.exe %windir%systemfun.exe winsit.exe configwin.exe

Note: refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP, Vista, and 7 is C:WindowsSystem32.

The malware then modifies the system registry by registry entries so that it runs on every Windows start, for example:

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "dc"
With data: "%windir%dc.exe"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "dc2k5"
With data: "%windir%sviq.exe"

In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: "fun"
With data: "%windir%systemfun.exe"

In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Modifies value: "shell"
From data: "explorer.exe"
To data: "explorer.exe winsit.exe"

It also creates the following registry entry as part of its installation process:

In subkey: HKCUSoftwareMicrosoftWindows NTCurrentVersionWindows
Sets value: "load"
With data: "%windir%infother.exe"

Spreads via...

Instant messenger programs

Worm:Win32/VB.CB may check if Yahoo! Messenger is running on the computer. If Yahoo! Messenger is running, Worm:Win32/VB.CB attempts to spread to other computers by sending a link containing a copy of itself to all of the user's contacts.

It may use the following text in the instant message:

Chuc mung, ban da tam thoi thoat khoi Worm DungCoi
Olalala, may tinh cua ban da dinh Worm DungCoi...........

Payload

Downloads arbitrary files

Worm:Win32/VB.CB attempts to connect to "dungcoivb.googlepages.com" to download other files. At the time of this writing, the requested file was unavailable for analysis.

Additonal information

The worm adds the following string to the file "%Windir%wininit.ini":

NUL=C:WINDOWSHelpOther.exe

External references

On July 24, 2012, Computerworld reported that Worm:Win32/VB.CB was found in the Apple App store. The app has since been removed.

Analysis by Wei Li

Last update 23 March 2019

 

TOP