My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Vb.AN@mm

HIGH
MEDIUM
varies
(Worm/Alcra.B,Worm:Win32/Alcan.B,Win32/Alcan.C!Worm,W32.Alcra.B )

Symptoms

Presence of folder %ProgramFiles%\winupdates wich contains the following files :
  • a.tmp - size 2,099,984 bytes (unpacked)
  • winupdates.exe - size 2,099,984 bytes (unpacked)
Presence of the following files :
  • %SystemRoot%\SYSTEM32\netstat.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\ping.com     - size 2 bytes
  • %SystemRoot%\SYSTEM32\regedit.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\taskkill.com - size 2 byes
  • %SystemRoot%\SYSTEM32\tasklist.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\tracert.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\cmd.com     - size 2 bytes
  • %SystemRoot%\SYSTEM32\taskmgr.exe- size 87,824 bytes
  • %SystemRoot%\SYSTEM32\bszip.dll      - size 62464 bytes, please note that this is a legitimate file, not infected, but only used by the worm
Presence of the following registry entries :
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates
with the value" %ProgamFiles%\winupdates\winupdates.exe /auto"

Removal instructions:

Please delete the following files from your computer:
  • %SystemRoot%\SYSTEM32\netstat.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\ping.com     - size 2 bytes
  • %SystemRoot%\SYSTEM32\regedit.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\taskkill.com - size 2 byes
  • %SystemRoot%\SYSTEM32\tasklist.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\tracert.com - size 2 bytes
  • %SystemRoot%\SYSTEM32\cmd.com     - size 2 bytes
Also, please replace the %SystemRoot%\SYSTEM32\taskmgr.exe (of size 87,824 bytes) with a clean taskmgr.exe from your Windows Installation CD.

Please remove the following registry key :
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates
with the value" %ProgamFiles%\winupdates\winupdates.exe /auto"

Please let BitDefender delete the worm copies it finds on your computer.

Analyzed By

Dan Lutas, virus researcher

Technical Description:

    This worm usually arrives as a zip file containing inside it a file named setup.exe. When setup.exe is executed for the first time, it will display a dialog looking like a standard Setup Dialog with the following text :
            "Welcome to the Setup Wizard
              It is recommended that you close all other applications before continuing.
             Click Next to continue, or Cancel to exit Setup".
    When the user clicks on the Next button, an error MessageBox is displayed with the following text :
             "Version has expired please download software update"
    and the setup dialog is closed.
    In the background, setup.exe will create the folder
             %ProgramFiles%\winupdates
    with attributes set to hidden and drop two files in that folder, a.tmp and winupdates.exe wich are copies of the worm. Next, setup.exe will create the following registry key :
            HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates
with the value" %ProgamFiles%\winupdates\winupdates.exe /auto", enabling itself to survive reboot.
    It will launch next winupdates.exe and close.
    When winupdates.exe starts, it will :
  • drop the files netstat.com, ping.com, cmd.com, regedit.com, taskkill.com, tasklist.com, tracert.com all with size of 2 bytes in the %SystemRoot%\SYSTEM32 folder. By doing this, the worm disables execution of the real applications (netstat.exe,ping.exe,cmd.exe,regedit.exe,taskkill.exe, tasklist.exe and tracert.exe), because the .com extension has priority over the .exe, and when the user will launch an application with only the name and not the extension (such as netstat instead of netstat.exe), the .com file will get executed.
  • replace the file taskmgr.exe with a trojanized version of 87,824 bytes in size.
  • drop the legitimate file bszip.dll in the %SystemRoot%\SYSTEM32 folder, wich it will use later to create archived copies of itself.  
  • attempt to connect to the following pages :
    • http://qualityddl.com[...removed...]
    • http://justddl.com[...removed...]
    • http://satanwarez.com[...removed...]
    • http://warezbox.com[...removed...]
    • http://powerddl.com[...removed...]
    • http://fullddl.net[...removed..]
    • http://www.ddlspot.com/ddl.php[..removed...]
    • http://gotddl.com[..removed...]
    • http://ddldirect.com/ddl.php[...removed...]
    • http://phazeddl.com[..removed...]
    • http://katz.ws[..removed..]
    • http://x-ddl.com[...removed..]
  • will scan all the pages above for strings and use those strings to generate filenames. The worm will copy itself, in an archived form using the library bzip, with the filenames generated above to the folders of various sharing file applications, including Ares, eMule, Kazaa, Limewire.
  • will try to download and execute a file from the following locations :
    • http://members.chello.nl/[...removed...]
    • http://members.chello.be/[..removed...]