Home / malwarePDF  

Worm.VB.AN


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Worm.VB.AN is also known as Email-Worm.Win32.VB.an, W32.Alcra.B, W32/Alcan.worm!p2p, WORM_VB.AS.

Explanation :

* spreads via file sharing on P2P networks
* includes functionality to download, install and execute new malware executables

* when the worm is executed, it performs the following operations:
* creates %ProgramFiles%winupdates directory with hidden and system attributes set.
* copies itself as:
* %ProgramFiles%winupdateswinupdates.exe - this file has hidden and system attributes set
* %ProgramFiles%winupdatesa.tmp
* %ProgramFiles%winupdatesa.zip - an archive that contains a file - Setup.exe, which is a copy of the worm
* drops bszip.dll to %Sys32% directory - the file is clean

* may attempt to overwrite %Sys32% askmgr.exe
* in order to run at startup, adds the following key to system registry
HKLMSoftwareMicrosoftWindowsCurrentVersionRunwinupdates %ProgramFiles%winupdateswinupdates.exe /auto"

* attempts to connect to http://windowsupdate.microsoft.com in order to verify if internet connection is available

* disables some utility programs, creating the following files in the %sysdir% directory:
netstat
ping
tracert
tasklist
taskkill
regedit
cmd
(.com files have priority to execution to .exe files, so that when the user tries to run regedit, the system will actually run regedit.com, not regedit.exe as expected)

* the worm will try to copy a.zip to shared P2P folders

Last update 21 November 2011

 

TOP