My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.VB.DW

MEDIUM
MEDIUM
210432
(P2P-Worm.VB.dw, Win32/Alcan.5tn!Worm)

Symptoms

Presence of the following files:
  • %ProgramFiles%\outlook\outlook.exe, 210432 bytes;
  • %ProgramFiles%\outlook\v.tmp, size 210432 bytes;
  • %ProgramFiles%\outlook\p.zip, size 202477 bytes;
  • %system%\bszip.dll, 62464 bytes;
  • c:\onoes.exe, 175104 bytes;
Presence of the following registry key:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\outlook = "%ProgramFiles%\outlook\outlook.exe /auto"

Removal instructions:

Please let BitDefender delete the files that belong to this worm.

Analyzed By

Marius Botis, virus researcher

Technical Description:

This malware is a worm which spreads itself using peer-to-peer networks through the shares of the popular P2P sharing programs: Morpheus, Limewire, BearShare, Shareaza.

The first time when it is run, the worm:
  • copies itself in %ProgramFiles%\outlook\outlook.exe
  • creates a registry key to ensure that it will run after reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\outlook = "%ProgramFiles%\outlook\outlook.exe /auto"
  • displays a fake error message:

  • executes the its copy from %ProgramFiles%\outlook\outlook.exe
This new instance of the worm will perform the following actions:
  • drops a backdoor in c:\onoes.exe, size 175104 bytes, detected by BitDefender as Backdoor.Rbot.CMN;
  • executes c:\onoes.exe;
  • drops a DLL in %system32%\bszip.dll, a library used in creating ZIP files;
  • creates copy of the worm in %ProgramFiles%\outlook\v.tmp, size 210432 bytes;
  • creates an zip arhive in %ProgramFiles%\outlook\p.zip, size 202477 bytes, archive containing the worm named Setup.exe;
  • connects to websites such as www.mininova.org, www.torrentz.com to obtain names of applications and games; using these names, the worm will create copy of the archive it created in the download folder of the P2P applications mentioned. eg: c:\downloads\Heroes3.zip;
  • starts the P2P application by executing the files limewire.exe, morpheus.exe, bearshare.exe, shareaza.exe.
In order to hides its presence, the worm creates the following files in %system32% having size zero: cmd.com, netstat.com, ping.com, regedit.com, taskkill.com, tasklist.com, tracert.com. The effect is that the standard applications cmd.exe, netstat.exe, ping.exe, regedit.exe, taskkill.exe, tasklist.exe, tracert.exe will not be executed.