Home / malwarePDF  

Worm:Win32/Visal.B


First posted on 10 September 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Visal.B is also known as WIN.WORM.Virus (Dr.Web), W32/VBMania@MM (McAfee), Worm:Win32/VB.WF (other), W32/Autorun-BHO (Sophos).

Explanation :

Worm:Win32/Visal.B is a worm that spreads via drives C: through H: and via email. When spreading through email, the message contains a link to the worm hosted on a remote server. The file icon resembles a PDF document to maximize the chance of execution.
Top

Worm:Win32/Visal.B is a worm that spreads via drives C: through H: and via email. When spreading through email, the message contains a link to the worm hosted on a remote server. InstallationWhen run, the worm copies itself as the following: C:\open.exe C:\%USERNAME% CV 2010.exe %windir%\%USERNAME% CV 2010.exe %windir%\csrss.exe %windir%\system\updates.exe %windir%\system\%USERNAME% CV 2010.exe The file icon resembles a PDF document to maximize the chance of execution. It also creates the following autorun configuration files that enable the worm copy "open.exe" to automatically run when the folder is accessed and Autorun is enabled:
C:\autorun.inf
%windir%\autorun.inf The worm creates registry data used by the worm. In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FASTFAT\0000\Control
Sets value: "ActiveService"
With data: "Fastfat" In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NM\0000\Control
Sets value: "ActiveService"
With data: "nm" In subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_NPF\0000\Control
Sets value: "ActiveService"
With data: "NPF" In subkey: HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Shares\updates
Sets value: "CSCFlags"
With data: "0" Sets value: "MaxUses"
With data: "100" Sets value: "Path"
With data: "C:\WINDOWS\system" Sets value: "Permissions"
With data: "0" Sets value: "Remark"
With data: "Publicshareforupdate." Sets value: "Type"
With data: "0" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FASTFAT\0000\Control
Sets value: "ActiveService"
With data: "Fastfat" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NM\0000\Control
Sets value: "ActiveService"
With data: "nm" In subkey: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NPF\0000\Control
Sets value: "ActiveService"
With data: "NPF" In subkey: HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\updates Sets value: "CSCFlags"
With data: "0" Sets value: "MaxUses"
With data: "100" Sets value: "Path"
With data: "C:\WINDOWS\system" Sets value: "Permissions"
With data: "0" Sets value: "Remark"
With data: "Publicshareforupdate." Sets value: "Type"
With data: "0" The worm adds an autostart key by making the following registry modification: In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Adds value: "Sets Shell" With data: €œ%windir%\csrss.exe€ Spreads via€¦ Network shares Worm:Win32/Visal.B attempts to spread to other computers within the network. If it finds an accessible computer in the network, it attempts to copy itself as "N73.Image12.03.2009.JPG.scr" to drives C: to H: of the target computer. The worm creates an autorun configuration file named "autorun.inf" to run the worm copy when the drive is accessed and Autorun is enabled. It also creates a copy of itself as "N73.Image12.03.2009.JPG.scr" in shared folders with the following names:

  • Music
  • Print
  • NewFolder
    • Email Worm:Win32/Visal.B also spreads via spammed email messages. The email may have one of the following details: Example 1 Subject: Here you have Body:
    Hello: This is The Document I told you about,you can find it Here.
    http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf Please check it and reply as soon as possible. Cheers, Example 2 Subject: Just for youBody:
    Hello: This is The Document I told you about,you can find it Here.
    http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf Please check it and reply as soon as possible. Cheers, Example 3 Subject: hiBody:
    Hello: This is The Free Dowload Sex Movies,you can find it Here.
    http://www.sharemovies.com/library/SEX21.025542010.wmv Enjoy Your Time. Cheers, Note: The link does not really point to a PDF document or Windows media movie file. The link directs users to download a copy of the worm from a user account on the domain "members.multimania.co.uk" as "PDF_Document21_025542010_pdf.scr". Payload Disables Windows services Worm:Win32/Visal.B deletes the following registry subkeys that execute Windows Security Center (wscsvc) and Windows automatic updating (wuauserv). HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WSCSVC\0000\Control
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV\0000
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WUAUSERV\0000\Control
    HKLM\SYSTEM\ControlSet001\Services\wscsvc
    HKLM\SYSTEM\ControlSet001\Services\wscsvc\Enum
    HKLM\SYSTEM\ControlSet001\Services\wscsvc\Parameters
    HKLM\SYSTEM\ControlSet001\Services\wscsvc\Security
    HKLM\SYSTEM\ControlSet001\Services\wuauserv
    HKLM\SYSTEM\ControlSet001\Services\wuauserv\Enum
    HKLM\SYSTEM\ControlSet001\Services\wuauserv\Parameters
    HKLM\SYSTEM\ControlSet001\Services\wuauserv\Security
    HKLM\SYSTEM\ControlSet003\Control\Print\Environments\WindowsNTx86\Drivers\o
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WSCSVC\0000\Control
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000
    HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WUAUSERV\0000\Control
    HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
    HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Parameters
    HKLM\SYSTEM\CurrentControlSet\Services\wscsvc\Security
    HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
    HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Enum
    HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
    HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Security Changes Windows settings The worm modifies registry data that changes certain functions of Windows.
  • Disables lease user access (LUA)
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "EnableLUA"
    With data: "0"
  • Disables data redirection for interactive processes
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "EnableVirtualization"
    With data: "0"
  • Disables secure desktop prompting
    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    Sets value: "PromptOnSecureDesktop"
    With data: "0"

    • The worm also creates the following registry data. In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    Sets value: "0"
    With With data: "" Sets value: "1"
    With data: "C:\WINDOWS\system" Sets value: "2"
    With data: "C:\WINDOWS" Sets value: "3"
    With data: "C:\" Disables Windows firewall/opens ports Worm:Win32/Visal.B modifies registry data that opens TCP and UDP ports 137, 138, 139 and 443 and also attempts to disable Windows firewall as shown below on a Windows XP computer: In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    Sets value: "EnableFirewall"
    With data: "0" In subkey: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
    Sets value: "137:UDP"
    With data: "137:UDP:*:Enabled:@xpsp2res.dll,-22001" Sets value: "138:UDP"
    With data: "138:UDP:*:Enabled:@xpsp2res.dll,-22002" Sets value: "139:TCP"
    With data: "139:TCP:*:Enabled:@xpsp2res.dll,-22004" Sets value: "445:TCP"
    With data: "445:TCP:*:Enabled:@xpsp2res.dll,-22005" Sets value: "137:UDP"
    With data: "137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001" Sets value: "138:UDP"
    With data: "138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002" Sets value: "139:TCP"
    With data: "139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004" Sets value: "445:TCP"
    With data: "445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005" In subkey: HKLM\SYSTEM\ControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
    Sets value: "137:UDP"
    With data: "137:UDP:*:Enabled:@xpsp2res.dll,-22001" Sets value: "138:UDP"
    With data: "138:UDP:*:Enabled:@xpsp2res.dll,-22002" Sets value: "139:TCP"
    With data: "139:TCP:*:Enabled:@xpsp2res.dll,-22004" Sets value: "445:TCP"
    With data: "445:TCP:*:Enabled:@xpsp2res.dll,-22005" Sets value: "137:UDP"
    With data: "137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001" Sets value: "138:UDP"
    With data: "138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002" Sets value: "139:TCP"
    With data: "139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004" Sets value: "445:TCP"
    With data: "445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005" Prevents applications from running The worm creates numerous registry modifications that intercept execution calls to the requested application. Adds value: "Debugger" With data: "%windir%\csrss.exe" To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry\<process name> where <process name> may be any of the following: _aVP32.ExE
    _aVPCC.ExE
    _aVPM.ExE
    00hoeav.com
    0w.com
    360rpt.ExE
    360safe.ExE
    360safebox.ExE
    360tray.ExE
    6.bat
    6fnlpetp.exe
    6x8be16.cmd
    a2cmd.ExE
    a2free.ExE
    a2service.ExE
    a2upd.ExE
    abk.bat
    adobe Gamma Loader.exe
    algsrvs.exe
    algssl.exe
    angry.bat
    aNtIaRP.ExE
    antihost.exe
    anti-trojan.exe
    aNtS.ExE
    apu.stt
    apu-0607g.xml
    aPVxdWIN.ExE
    arSwp.ExE
    ashdisp.exe
    ashEnhcd.exe
    ashLogV.exe
    ashMaiSv.exe
    ashPopWz.exe
    ashQuick.exe
    ashServ.exe
    ashSkPcc.exe
    ashUpd.exe
    ashWebSv.exe
    ast.ExE
    aswBoot.exe
    aswRegSvr.exe
    aswUpdSv.exe
    autorun.bin
    autoRun.ExE
    autorun.ini
    autorun.reg
    autorun.txt
    autorun.wsh
    autoRunKiller.ExE
    autoruns.exe
    autorunsc.exe
    avadmin.exe
    avastSS.exe
    avcenter.exe
    avciman.exe
    avconfig.exe
    aVCONSOL.ExE
    aVENGINE.ExE
    avgamsvr.exe
    avgas.exe
    avgcc.exe
    avgcc32.exe
    avgemc.exe
    avginet.exe
    avgnt.exe
    avgrssvc.exe
    avgrsx.exe
    avgscan.exe
    avgscanx.exe
    avgserv.exe
    avguard.exe
    avgupsvc.exe
    avgw.exe
    avgwdsvc.exe
    avltd.exe
    avmailc.exe
    avMonitor.ExE
    avnotify.exe
    avp.com
    avp.exe
    aVP32.ExE
    aVPCC.ExE
    aVPM.ExE
    avscan.exe
    avzkrnl.dll
    bad1.exe
    bad2.exe
    bad3.exe
    bdagent.exe
    bdsubwiz.exe
    BdSurvey.exe
    BIOSREad.exe
    blackd.exe
    blackice.exe
    caiss.exe
    caissdt.exe
    catcache.dat
    cauninst.exe
    Cavapp.ExE
    cavasm.ExE
    CavaUd.ExE
    CaVCmd.exe
    CaVCtx.exe
    CavEmSrv.ExE
    Cavmr.ExE
    CavMUd.ExE
    Cavoar.ExE
    CavQ.ExE
    CaVRep.exe
    CaVRid.exe
    CaVSCons.ExE
    cavse.ExE
    CavSn.ExE
    CavSub.ExE
    CaVSubmit.ExE
    CavUMaS.ExE
    CavUserUpd.ExE
    Cavvl.ExE
    CCenter.ExE
    CEmRep.ExE
    ckahcomm.dll
    ckahrule.dll
    ckahum.dll
    cleaner.exe
    cleaner3.exe
    clldr.dll
    CMain.ExE
    copy.exe
    curidsbase.kdz
    destrukto.vbs
    dF5Serv.exe
    diffs.dll
    drvins32.exe
    drwadins.exe
    drweb32w.exe
    drweb386.exe
    drwebscd.exe
    drwebupw.exe
    drwebwcl.exe
    drwreg.exe
    e.cmd
    e9ehn1m8.com
    edb.chk
    egui.exe
    ekrn.exe
    EMdISK.exe
    f0.cmd
    FileKan.exe
    flashy.exe
    FPaVServer.exe
    FProttray.exe
    fpscan.exe
    fptrayproc.exe
    FPWin.exe
    FrameworkService.exe
    Frameworkservice.ExE
    FRW.ExE
    FrzState2k.exe
    fs6519.dll.vbs
    fssf.exe
    fssync.dll
    fun.xls.exe
    g2pfnid.com
    GetSI.dll
    GFUpd.ExE
    guard.exe
    GuardField.ExE
    guardgui.exe
    guardxkickoff.exe
    guardxkickoff_x64.exe
    guardxservice.exe
    guardxup.exe
    h3.bat
    Hijackthis.ExE
    hookinst.exe
    host.exe
    i.bat
    iamapp.exe
    iamserv.exe
    IceSword.ExE
    ICLOad95.ExE
    ICLOadNt.ExE
    ICMON.ExE
    ICSUPP95.ExE
    ICSUPPNt.ExE
    Identity.exe
    iefqwp.cmd
    IEShow.exe
    IFaCE.ExE
    ij.bat
    InstallCaVS.ExE
    InstLsp.ExE
    Iparmor.ExE
    iSafe.exe
    iSafInst.exe
    KaSaRP.ExE
    kav.bav
    kav32.ExE
    kavbase.kdl
    KaVPFW.ExE
    kavstart.ExE
    ker.vbs
    KeyMgr.exe
    killVBS.vbs
    kissvc.ExE
    kl1.sys
    klavemu.kdl
    klbg.cat
    klbg.sys
    klif.cat
    klif.sys
    klim5.sys
    kmailmon.ExE
    KPfwSvc.ExE
    KRegEx.ExE
    KVSrvxP.ExE
    KVWSC.ExE
    kwatch.ExE
    licmgr.ex
    licreg.exe
    lky.exe
    lockdown2000.exe
    m2nl.bat
    mbam.exe
    mcagent.exe
    mcappins.exe
    mcaupdate.exe
    mcdash.exe
    Mcdetect.exe
    mcinfo.exe
    mcinsupd.exe
    mcmnhdlr.exe
    mcregwiz.exe
    McShield.exe
    Mctray.exe
    mcupdmgr.exe
    mcupdui.exe
    McVSEscn.exe
    mcvsftsn.exe
    mcvsmap.exe
    mghtml.exe
    Mmsk.ExE
    MooLive.exe
    msdos.pif
    msfir80.exe
    MSGrc32.vbs
    msime80.exe
    msizap.exe
    msmsgs.exe
    msvcm80.dll
    msvcp80.dll
    msvcr71.dll
    msvcr80.dll
    mzvkbd.dll
    mzvkbd3.dll
    naiavfin.exe
    naPrdMgr.exe
    Navapsvc.ExE
    NaVaPW32.ExE
    NaVW32.ExE
    netcfg.dll
    new folder.exe
    njibyekk.com
    nod32.exe
    nod32krn.exe
    nod32kui.exe
    oasclnt.exe
    olb1iimw.bat
    OnaccessInstaller.ExE
    Pagent.exe
    Pagentwd.exe
    PavFnSvr.exe
    pavprsrv.exe
    PavReport.exe
    pavsched.exe
    PaVSRV51.ExE
    pavtest.exe
    pctsauxs.exe
    pctsSvc.exe
    pctstray.exe
    PFW.ExE
    preupd.exe
    prloader.dll
    procexp.exe
    psctrlc.exe
    PsCtrlS.exe
    PSHost.exe
    PsImSvc.exe
    pskmssvc.exe
    QQdoctor.ExE
    QtnMaint.exe
    RaV.ExE
    ravmon.exe
    Ravservice.ExE
    RavStub.ExE
    RaVtRaY.ExE
    rcukd.cmd
    reload.exe
    rescue32.exe
    rescuecd.zip
    rfwmain.ExE
    rfwProxy.ExE
    rfwsrv.ExE
    Rfwstub.ExE
    rose.exe
    RStray.ExE
    Runiep.ExE
    safeboxtray.ExE
    sal.xls.exe
    sched.exe
    SCVHOSt.exe
    scvhosts.exe
    SCVHSOt.exe
    SCVVHOSt.exe
    scvvhosts.exe
    SCVVHSOt.exe
    seccenter.exe
    SendLogs.exe
    session.exe
    shstat.exe
    Socksa.ex
    SOLOCFG.exe
    SOLOLItE.exe
    SOLOSCaN.exe
    SOLOSENt.exe
    Sphinx.exe
    spidercpl.exe
    spiderml.exe
    spidernt.exe
    spiderui.exe
    spml_set.exe
    Spybotsd.exe
    SREngLdr.ExE
    ssvichosst.exe
    sxs.exe
    system.exe
    tca.exe
    temp.exe
    temp2.exe
    toy.exe
    tPSrv.exe
    trojandetector.ExE
    trojanwall.ExE
    trojdie.KxP
    UdaterUI.exe
    uiscan.exe
    unp_test.ExE
    update.exe
    updater.dll
    UPSdbMaker.ExE
    userdump.exe
    UUpd.ExE
    v.exe
    Vba32act.exe
    Vba32arkit.exe
    Vba32ECM.exe
    Vba32ifs.exe
    vba32ldr.exe
    Vba32PP3.exe
    Vba32Qtn.exe
    vbcmserv.exe
    vbcons.exe
    vbglobal.exe
    vbimport.exe
    vbinst.exe
    vbscan.exe
    vbsystry.exe
    VetMsg.exe
    virusutilities.exe
    Visthaux.exe
    VPC32.ExE
    VPtRaY.ExE
    VSECOMR.ExE
    VSHWIN32.ExE
    vsmon.exe
    vsserv.exe
    VSStat.ExE
    VstskMgr.exe
    WEBPROxY.ExE
    WEBSCaNx.ExE
    whi.com
    WinGrc32.dll
    WOPtILItIES.ExE
    Wradmin.exe
    WrCtrl.exe
    wscntfy.exe
    wsctool.exe
    yannh.cmd
    ybj8df.exe
    zonealarm.exe Downloads arbitrary filesWorm:Win32/Visal.B attempts to download files from the following domain members.multimania.co.uk Disables USB protection software Worm:Win32/Visal.B removes USB protection software by deleting the following folders:
  • C:\Program Files\USB Disk Security
  • D:\Program Files\USB Disk Security
    • Terminates processes Worm:Win32/Visal.B terminates any of the following processes:
  • Usbguard.exe
  • CPE17AntiAutoruna.exe
    • Clears HOSTS fileThe worm may delete the contents of the local HOSTS file commonly stored as the following: %windir%\system32\drivers\etc\hosts. Removing the contents of the HOSTS file allows the local computer to retrieve IP address destinations from the configured DNS server, bypassing blocks that may be established in the HOSTS configuration file.

    Analysis by Rodel Finones & Patrick Nolan

    Last update 10 September 2010

     

    TOP

    Malware :

    Family: