Home / malware VBS.Plan.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
VBS.Plan.B is also known as N/A.
Explanation :
VBS.Plan.B is an Internet worm using the Outlook Adress Book to spread itself.
It is extremely aggressive when spreading in the network.
Once the attachment is executed, the virus copies itself in three files on the system,
"LINUX32.vbs" and a vbs file with a random name in system folder ("C:\WindowsSystem" or "C:WinntSystem32" )
and "reload.vbs" in windows folder ( "C:Windows" or "C:Winnt" )
At the same time, the system registry is modified so that two of these files are executed every time the system starts:
-The key:
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunLINUX32" with the value
"%dirsystem%LINUX32.vbs"
and the key:
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
eload" with the value
"%dirwin%
eload.vbs"
where %dirsystem% is C:WindowsSystem or C:WinntSystem32 and
%dirwin% is C:Windows or C:Winnt .
If there is no WinFAT32.exe file in the system directory, the virus automatically sets the key
"HKCUSoftwareMicrosoftInternet ExplorerMainStart Page" (the homepage for Internet Explorer)
to be one of the following:
"http://members.fortunecity.com/.../macromedia32.zip"
"http://members.fortunecity.com/.../linux321.zip"
"http://members.fortunecity.com/.../linux322.zip"
Thus, when opening Internet Explorer, this will try to automatically download the "MACROMEDIA32.zip" file,
which will be opened when the system is restarted.
In order to do that it writes the registry key:
"HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunplan colombia"
with the value "%dirwin%important_note.txt" where %dirwin% is the windows folder ( C:Windows or C:Winnt) and "important_note.txt" is a copy of "MACROMEDIA32.zip"
The virus searches in the system and on the mapped drives inside the network, all files with the
vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 extensions, overwriting them into .vbs .
At the same time, VBS.Plan.B creates a file "US-PRESIDENT-AND-FBI-SECRETS.HTM" in the system directory ( C:WindowsSystem or C:WinntSystem32 ).
The "US-PRESIDENT-AND-FBI-SECRETS.HTM" file includes the VBS form of the virus that infects the system if
the user allows ActiveX elements from HTML pages.
It also spread itself to all the contacts in Outlook Adress Book.
The subject of the mail can be "US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=" or can be a random text.
The body of the mail is "VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.." or a random text.
The attachment is a copy of the virus, with a random name (a vbs file).
The virus modifies the registry key
"HKEY_CURRENT_USERSoftwareMicrosoftWindows Scripting HostSettingsTimeout" with the value "0".
It also modifies the key "HKEY_CURRENT_USERSoftwareMicrosoftWAB\"
On September the 17th, the virus displays a message:
"Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
Att. ... (M.H.M. TEAM)"
and then deletes all the network drive maps.Last update 21 November 2011