Home / malware Worm:Win32/VB.CB
First posted on 28 April 2010.
Source: SecurityHomeAliases :
Worm:Win32/VB.CB is also known as Win32/Olala.worm.57344 (AhnLab), W32/Sillyworm.WH (Authentium (Command)), IM-Worm.Win32.VB.ln (Kaspersky), W32/VBWorm.MVK (Norman), Worm.VB.DWCR (VirusBuster), Worm/VB.APS (AVG), Worm/VB.EV.6 (Avira), Worm.Generic.24677 (BitDefender), Win32/Dolagun.I (CA), Win32.HLLW.Siggen.241 (Dr.Web), Win32/VB.NJO (ESET), IM-Worm.Win32.VB (Ikarus), W32/Autorun.worm.h (McAfee), Found virus :W32/CogDuni.C.worm (Panda), Worm.VB.aew (Rising AV), W32/VB-DGA (Sophos), IM-Worm.Win32.VB.ev (Sunbelt Software), W32.Imaut.AS (Symantec), WORM_VB.GMM (Trend Micro) more.
Explanation :
Worm:Win32/VB.CB is a worm that attempts to spread via Yahoo! Messenger. It may also connect to a remote server to download arbitrary files.
Top
Worm:Win32/VB.CB is a worm that attempts to spread via Yahoo! Messenger. It may also connect to a remote server to download arbitrary files. Installation When executed, Worm:Win32/VB.CB may drop itself to the following locations: %windir%\dc.exe %windir%\sviq.exe %windir%\help\other.exe %windir%\inf\other.exe %windir%\system\fun.exe <system folder>\winsit.exe <system folder>\config\win.exe The malware then modifies the system registry by adding the following registry entries so that it runs on every Windows start (for example): Adds value: "dc" With data: "%windir%\dc.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "dc2k5" With data: "%windir%\sviq.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Adds value: "fun" With data: "%windir%\system\fun.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Modifies value: "shell" From data: "explorer.exe" To data: "explorer.exe <system folder>\winsit.exe" In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Adds value: €œload" With data: "%windir%\inf\other.exe" To subley: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Spreads via... Instant messenger programs Worm:Win32/VB.CB may check if Yahoo! Messenger is running in the system. If Yahoo! Messenger is running, Worm:Win32/VB.CB attempts to spread to other computers by sending a link containing a copy of itself to all of the user's contacts. The malware may use the following text in the message: Chuc mung, ban da tam thoi thoat khoi Worm DungCoi Olalala, may tinh cua ban da dinh Worm DungCoi........... Payload Downloads arbitrary files Worm:Win32/VB.CB attempts to connect to "dungcoivb.googlepages.com" to download other files. At the time of this writing, the requested file was unavailable for analysis. Additonal Information The worm adds the following string to %Windir%\wininit.ini: NUL=C:\WINDOWS\Help\Other.exe
Analysis by Wei LiLast update 28 April 2010