Home / malwarePDF  

Win32.Worm.VB.NUD


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.VB.NUD.

Explanation :

As a trick to be launched the executables uses a folder icon. When is launched opens
"%windir%WebWallpaper" and drops "%windir%Fontswav.wav" containing the Windows XP specific "error sound".
Copies itself in many system folders:
"%windir%FontsFonts.exe"
"%windir%pchealthelpctrinariesHelpHost.com"
"%windir%pchealtGlobal.exe"
"%windir%system32driversdriversdrivers.cab.exe"
...
Creates a "%windir%cursorsoom.vbs" containing VBS commands for adding some registry keys that will start it on reboot:
"HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce", "%windir%system32dllcacheDefault.exe
"HKCRMSCFileShellOpenCommand","%windir%FontsFonts.exe".
...
Three copies will be launched creating a chain where each process protects the others form being stopped.

For spreading, it creates copies of itself in the root folders of network drives and removable drives. It also creates an autorun.inf file which will launch (in case that drives autorun feature is enabled) a hidden copy of this worm.

Last update 21 November 2011

 

TOP