Home / malware Worm:Win32/VB.WG
First posted on 27 November 2010.
Source: SecurityHomeAliases :
Worm:Win32/VB.WG is also known as Trojan.Win32.Vilsel.avla (Kaspersky), VB.AJZP (AVG), Win32/SillyDl.PVN (CA), Win32/VB.NTU (ESET), Trojan-Downloader.Win32.VB (Ikarus), Mal/Particula-A (Sophos), WORM_VB.EA (Trend Micro).
Explanation :
Worm:Win32/VB.WG is a worm that spreads via MSN Messenger. It also lowers security settings in Internet Explorer.
Top
Worm:Win32/VB.WG is a worm that spreads via MSN Messenger. It also lowers security settings in Internet Explorer. Installation Worm:Win32/VB.WG is installed as the following: C:\MessengerPlus\mplayer2.exe It creates the following registry modifications to ensure it executes at Windows start: In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "wmplayer" With data: "C:\messengerplus\mplayer2.exe" Spreads via... MSN Messenger Worm:Win32/VB.WG spreads by sending messages with a link to a copy of itself to the user's contacts in MSN Messenger. Payload Lowers system security settings Worm:Win32/VB.WG lowers the security settings on the infected computer by making the following registry modifications: Does not check for Signatures on Downloaded Programs: Sets value: "CheckExeSignatures" With data: "no" In subkey: HKCU\Software\Microsoft\Internet Explorer\Download Does not preserve zone information in file attachments: Sets value: "SaveZoneInformation" With data: "00000001" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments Sets low-risk file types to include common malware file types: Sets value: "LowRiskFileTypes" With data: ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations Opens an Internet Explorer browser Worm:Win32/VB.WG opens an Internet Explorer window to the following URL, probably in an effort to distract the user: www.youtube.com/watch?v=vsd3g0h_vs0 The message may contain the following message in Portuguese: CURTO E GROSSO, EU SEI QUE VC GOSTA. heheheheheehehhehe
Analysis by Jireh SanicoLast update 27 November 2010
