My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


(Worm:Win32/VB.HA (OneCare))


-increased processor activity
-inability to connect to certain security websites
-possible notifications from firewall that a program is trying to connect to internet
-suspicious running tasks with icons imitating folders
-presence of files and registry keys from following description

Removal instructions:

Please let BitDefender disinfect your files.

-Run Process Explorer from  Microsoft:
and in the processes list you will find, in case of infection, two tasks named userinit.exe (%windir%\userinit.exe) and system.exe (%windir%\System32\system.exe). Right click on the first and chose Kill Process Tree from the menu
-Run Registry Editor (Start; Run; type regedit), find this registry key:
HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
and in the right panel you will find the entry Userinit change its value to:"C:\Windows\system32\userinit.exe," .
Use any BD scanner to find all the infected files and delete those.      

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

Upon execution the worm copies itself to %windir%\userinit.exe. In order to be active at the system startup it modifies the following registry key to point to the copies location:
HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Userinit
A second copy will be created as %windir%\System32\system.exe. When running, the two tasks will protect each other from being terminated.

An updated version is downloaded form following domains:
The file will be saved as %windir%\system32\task.exe. When executed, it will replace the above copies with the update. This file is also detected as Win32.Worm.VB.NXY      

In order to deny the access to certain security tools it will make changes to C:\Windows\System32\drivers\etc\host and deny access to these websites:

Another file is dropped under %windir%\kdcoms.dll. It is actually a text file containing the following message:
"Don't worry! I will protect your computer". After the update is downloaded, the content of the file changes to the current date.

The worm spreads through USB removable storage devices by creating a copy of itself in the root folder of the drive under the name forever.exe. An autorun.inf file is also created to point to this location.