My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Plan.B

HIGH
HIGH
HTML file: 20074 bytes, VBS File: 12503 bytes
(N/A)

Symptoms

- instead of every vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2 file there is a copy of the virus,
with the same name as the original file and the .vbs extension.
-The key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LINUX32"
has the value
"%dirsystem%\LINUX32.vbs"

and the key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\reload"
has the value
"%dirwin%\reload.vbs"


where %dirsystem% is C:\Windows\System or C:\Winnt\System32 and
%dirwin% is C:\Windows or C:\Winnt .

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using BitDefender Live!;

2. Make the following changes in the windows registry:

Please make sure to
modify only the values that are specified. It is also recommended to backup
the Windows Registry before proceeding with these changes.

a) Select Run... from
the Start menu, then type regedit
and press Enter;
b) Delete following keys:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LINUX32.vbs"


"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\reload.vbs"


"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\plan colombia"


3. Perform a full scan of your system (selecting, from the Action tab, the option "Prompt
user for action"). Choose to delete all the files infected with VBS.Plan.B

Analyzed By

Mihaela Stoian BitDefender Virus Researcher

Technical Description:

VBS.Plan.B is an Internet worm using the Outlook Adress Book to spread itself.
It is extremely aggressive when spreading in the network.
Once the attachment is executed, the virus copies itself in three files on the system,
"LINUX32.vbs" and a vbs file with a random name in system folder ("C:\\Windows\System" or "C:\Winnt\System32" )
and "reload.vbs" in windows folder ( "C:\Windows" or "C:\Winnt" )

At the same time, the system registry is modified so that two of these files are executed every time the system starts:
-The key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\LINUX32"
with the value
"%dirsystem%\LINUX32.vbs"

and the key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\reload"
with the value
"%dirwin%\reload.vbs"


where %dirsystem% is C:\Windows\System or C:\Winnt\System32 and
%dirwin% is C:\Windows or C:\Winnt .

If there is no WinFAT32.exe file in the system directory, the virus automatically sets the key

"HKCU\Software\Microsoft\Internet Explorer\Main\Start Page"
(the homepage for Internet Explorer)
to be one of the following:

"http://members.fortunecity.com/.../macromedia32.zip"
"http://members.fortunecity.com/.../linux321.zip"
"http://members.fortunecity.com/.../linux322.zip"



Thus, when opening Internet Explorer, this will try to automatically download the "MACROMEDIA32.zip" file,
which will be opened when the system is restarted.
In order to do that it writes the registry key:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\plan colombia"

with the value "%dirwin%\important_note.txt" where %dirwin% is the windows folder ( C:\Windows or C:\Winnt) and "important_note.txt" is a copy of   "MACROMEDIA32.zip"

The virus searches in the system and on the mapped drives inside the network, all files with the
vbs, vbe, js, jse, css, wsh, sct, hta, jpg, jpeg, mp3, mp2
extensions, overwriting them into .vbs .
At the same time, VBS.Plan.B creates a file "US-PRESIDENT-AND-FBI-SECRETS.HTM" in the system directory ( C:\Windows\System or C:\Winnt\System32 ).

The "US-PRESIDENT-AND-FBI-SECRETS.HTM" file includes the VBS form of the virus that infects the system if
the user allows ActiveX elements from HTML pages.

It also spread itself to all the contacts in Outlook Adress Book.

The subject of the mail can be "US PRESIDENT AND FBI SECRETS =PLEASE VISIT => (http://WWW.2600.COM)<=" or can be a random text.
The body of the mail is "VERY JOKE..! SEE PRESIDENT AND FBI TOP SECRET PICTURES.." or a random text.

The attachment is a copy of the virus, with a random name (a vbs file).

The virus modifies the registry key
"HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout" with the value "0".
It also modifies the key "HKEY_CURRENT_USER\Software\Microsoft\WAB\\"

On September the 17th, the virus displays a message:


"Dedicated to my best brother=>Christiam Julian(C.J.G.S.)
Att. ... (M.H.M. TEAM)"

and then deletes all the network drive maps.