My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.VB.NWW

MEDIUM
LOW
~85KB

Symptoms

Presence of the following files:
                  Windows\userinit.exe (hidden)                
                  Windows\System32\system.exe
(hidden)
                  Windows\kdcom.dll

Notifications from the firewall that a process having one of above first two paths is trying to connect to Internet 

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

In order to trick the user, the infected files have the icon of a folder, but they are executables. When is launched the worm drops three files:
            Windows\userinit.exe (hidden)                
            Windows\System32\system.exe
(hidden)
            Windows\kdcom.dll
The first two are copies of launcher and the DLL is a simple text file that contains printable characters such as current day or a message ("Don't kill me...please");
A field, userinit, of the registry key [HKLM\Software\MicrosoftWindows\WindowsNT\CurrentVersion\Winlogon] is modified from it's value %Root_Drive%\Windows\System32\userinit.exe to %Root_Drive%\Window\userinit.exe, so that the worm will be active after system reboot.
After the copies of the worm are launched the initial process will be closed and the following actions will take place.
A login to scs.msg.yahoo.com server is tried, YM! being a way to spread itself.
It tries to download a file, which is the same worm repacked, from URLs like:
            http://www.freewebs.com/[removed]/rock.mid
            http://user5.titanichost.com/[removed]/rock.mid
            http://sonqh.110mb.com/[removed]/rock.mid
the file will be saved in Windows\System32\Task.exe, and launched. This will replace the old two copies and associated processes with it's own copies and delete itself. 
System.exe process opens an UDP listening port(106x). 
The worm monitors removable storage devices and create on this a copy secret.exe and autorun.inf in order to infect other machines on which AutoRun service is not disabled    
Modifies System32\drivers\etc\hosts redirecting URLs to 127.0.0.1, loop-back address.