Home / malware Email-Worm:W32/VB.BI
First posted on 28 July 2010.
Source: SecurityHomeAliases :
There are no other names known for Email-Worm:W32/VB.BI.
Explanation :
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Additional DetailsEmail-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.
The worm attempts to disable several security-related programs.
Installation
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
€ %Windows%\rundll16.exe € %System%\scanregw.exe € %System%\Update.exe € %System%\Winzip.exe
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder.
The worm installs the following registry key for ensuring it will be started on system startup:
€ [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "%System%\scanregw.exe"
Propagation (E-mail)
The worm collects e-mail addresses from files with following extensions:
€ .HTM € .DBX € .EML € .MSG € .OFT € .NWS € .VCF € .MBX € .IMH € .TXT € .MSF
And from the files with the following string in name:
€ CONTENT € TEMPORARY
The worm sends itself as attachment in the infected e-mail.
The e-mail subject is one the following:
€ The Best Videoclip Ever € School girl fantasies gone bad € A Great Video € F* Kama Sutra pics € Arab sex DSC-00465.jpg € give me a kiss € *Hot Movie* € Fw: Funny :) € Fwd: Photo € Fwd: image.jpg € Fw: Sexy € Re: € Fw: € Part 1 of 6 Video clipe € You Must View This Videoclip! € Miss Lebanon 2006 € Re: Sex Video € My photos
The message body may be one of the following:
€ Note: forwarded message attached. € Hot XXX Yahoo Groups € F* Kama Sutra pics € ready to be F*CKED ;) € Note: forwarded message attached. € forwarded message attached. € VIDEOS! FREE! (US$ 0,00) € i attached the details. Thank you. € >> forwarded message € ----- forwarded message ----- € i just any one see my photos. It's Free :)
The worm can attach itself as executable file. It uses one the following names in attachment:
€ 007.pif € School.pif € 04.pif € photo.pif € DSC-00465.Pif € image04.pif € 677.pif € New_Document_file.pif € eBook.PIF € document.pif € DSC-00465.pIf
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
€ Attachments[001].B64 € 3.92315089702606E02.UUE € SeX.mim € Original Message.B64 € WinZip.BHX € eBook.Uu € Word_Document.hqx € Word_Document.uu
The filename inside MIME-encoding is one of the following:
€ Attachments[001].B64 [spaces] .sCR € 3.92315089702606E02.UUE [spaces] .sCR € SeX,zip [spaces] .sCR € WinZip.zip [spaces] .sCR € ATT01.zip [spaces] .sCR € WinZip.zip [spaces] .sCR € Word.zip [spaces] .sCR € Word XP.zip [spaces] .sCR
Propagation (Shared Folders)
The worm searches for remote shared folders and tries to copy itself using one of the following filenames:
€ \Admin$\WINZIP_TMP.exe € \c$\WINZIP_TMP.exe € \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exeLast update 28 July 2010