Win32.Worm.VB.DW
MEDIUM
MEDIUM
210432
(P2P-Worm.VB.dw, Win32/Alcan.5tn!Worm)
Symptoms
Presence of the following files:
- %ProgramFiles%\outlook\outlook.exe, 210432 bytes;
- %ProgramFiles%\outlook\v.tmp, size 210432 bytes;
- %ProgramFiles%\outlook\p.zip, size 202477 bytes;
- %system%\bszip.dll, 62464 bytes;
- c:\onoes.exe, 175104 bytes;
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\outlook = "%ProgramFiles%\outlook\outlook.exe /auto"
Removal instructions:
Please let BitDefender delete the files that belong to this worm.
Analyzed By
Marius Botis, virus researcher
Technical Description:
This malware is a worm which spreads itself using peer-to-peer networks through the shares of the popular P2P sharing programs: Morpheus, Limewire, BearShare, Shareaza.
The first time when it is run, the worm:
- copies itself in %ProgramFiles%\outlook\outlook.exe
- creates a registry key to ensure that it will run after reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\outlook = "%ProgramFiles%\outlook\outlook.exe /auto"
- displays a fake error message:
- executes the its copy from %ProgramFiles%\outlook\outlook.exe
- drops a backdoor in c:\onoes.exe, size 175104 bytes, detected by BitDefender as Backdoor.Rbot.CMN;
- executes c:\onoes.exe;
- drops a DLL in %system32%\bszip.dll, a library used in creating ZIP files;
- creates copy of the worm in %ProgramFiles%\outlook\v.tmp, size 210432 bytes;
- creates an zip arhive in %ProgramFiles%\outlook\p.zip, size 202477 bytes, archive containing the worm named Setup.exe;
- connects to websites such as www.mininova.org, www.torrentz.com to obtain names of applications and games; using these names, the worm will create copy of the archive it created in the download folder of the P2P applications mentioned. eg: c:\downloads\Heroes3.zip;
- starts the P2P application by executing the files limewire.exe, morpheus.exe, bearshare.exe, shareaza.exe.
SHARE
THIS ON