Symptoms
The worm comes as an attachment in an email. When executed, it copies itself to:
- %WINDIR%\\VisualGuard.exe
and adds the following registry entry to ensure it will be executed at every Windows startup:
- [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
NetDy = %WINDIR%\\VisualGuard.exe
To ensure there's only one copy of the worm that runs in the system, it creates a mutex with the following name:
It also creates the following files:
- %WINDIR%\\base64.tmp - MIME-encoded copy of the executable
- %WINDIR%\\zip[1-6].tmp - six MIME-encoded different ZIP archives contaning the worm (only the name of the archived executable differs)
- %WINDIR%\\zipped.tmp - ZIP archive containing the worm's executable; this file is used when generating the six files mentioned above.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Raul TOSA, virus researcher
Technical Description:
The worm parses all the files with the following extensions, to gather email addresses:
- .pl
- .htm
- .html
- .eml
- .txt
- .php
- .asp
- .wab
- .doc
- .vbs
- .rtf
- .uin
- .shtm
- .cgi
- .dhtm
- .adb
- .tbb
- .dbx
- .sht
- .oft
- .msg
- .jsp
- .wsh
- .xml
The email that will be sent to the gathered addresses will have the following form:
SENDER:- one of the gathered email addresses, that it will harvest, too
or
SUBJECT:Composed from the following groups:
- document
- file
- details
- information
- letter
- product
- website
- application
- screensaver
- bill
- word document
- excel document
- data
- message
- text
- document_all
- here
- hi
- hello
- thanks!
- corrected
- patched
- improved
- important
- read it imediately
Some of the above groups may be blank.
BODY:
One of the following:
- Please see the attached file for details.
- Please read the attached file.
- Your document is attached.
- Please read the document.
- Your file is attached.
- Please confirm the document.
- Please read the important document.
- See the file.
- Requested file.
- Authentication required.
- Your document is attached to this mail.
- I have attached your document.
- I have received your document. The corrected document is attached.
- Your document.
- Your details.
ATTACHMENT:
A name choosed from the following:
- document
- file
- details
- information
- letter
- product
- website
- application
- screensaver
- bill
- word document
- excel document
- data
- message
- text
- document_all
And an extension:
When the ZIP extension is used, the archived executable may have one of the following names:
- "your_details.doc .exe"
- "document.htm .scr"
- "doc.txt .exe"
- "doc.pif"
- "your_details.scr"
- "document.exe"
The worm uses it's own SMTP engine to spread itself.
It will also try to delete the following registry keys from
[HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
[HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunServices]
- "ssate.exe"
- "srate.exe"
- "sysmon.exe"
- "Taskmon"
- "rate.exe"
- "gouday.exe"
- "Sentry.exe"
- "OLE"
- "d3dupdate.exe"
- "DELETE ME"
- "service"
- "au.exe"
- "msgsvr32"
- "system."
- "Explorer"
and any other keys contained in:
[HKLM\\System\\CurrentControlSet\\Services\\WksPatch]
[HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PINF]
[HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32]
SHARE
THIS ON