My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.VB.NUD

MEDIUM
LOW
220KB

Symptoms

presence in files system of executables having icons imitating the folders icons
presence of a chain of processes running copies of itself
presence of an autorun.inf files (pointing to a hidden file) in the root folder of disk partitions, network drives or removable storage devices

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Ovidiu Visoiu, virus researcher

Technical Description:

As a trick to be launched the executables uses a folder icon. When is launched opens
"%windir%\Web\Wallpaper" and drops  "%windir%\Fonts\wav.wav" containing the Windows XP specific "error sound". 
Copies itself in many system folders:
"%windir%\Fonts\Fonts.exe"
"
%windir%\pchealt\helpctr\binaries\HelpHost.com"
"
%windir%\pchealt\Global.exe" 
"
%windir%\system32\drivers\drivers\drivers.cab.exe"
...
Creates a "%windir%\cursors\boom.vbs" containing VBS commands for adding some registry keys that will start it on reboot:
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\", "%windir%\system32\dllcache\Default.exe
"HKCR\MSCFile\Shell\Open\Command\","%windir%\Fonts\Fonts.exe".
...
Three copies will be launched creating a chain where each process protects the others form being stopped.

For spreading, it creates copies of itself in the root folders of network drives and removable drives. It also creates an autorun.inf file which will launch (in case that drives autorun feature is enabled) a hidden copy of this worm.