F-Secure
Tools
Email-Worm:W32/VB.BI
Summary
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Disinfection
Special Disinfection Tool
F-Secure Corporation provides a special disinfection utility to clean VB.bi infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our ftp site:
The utility is distributed only in a ZIP archive that contains the following files:
To unpack the archive please use WinZip or similar archiver.
IMPORTANT! Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!
The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:
Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.
F-Secure Corporation provides a special disinfection utility to clean VB.bi infection from a computer. This disinfection utility is called F-Force and it can be downloaded from our ftp site:
The utility is distributed only in a ZIP archive that contains the following files:
- f-force.exe - the main executable file
- eult.rtf - End User License Terms document
- readme.rtf - Readme file in RTF format
- readme.txt - Readme file in ASCII format
To unpack the archive please use WinZip or similar archiver.
IMPORTANT! Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!
The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is LATEST.ZIP and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:
Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.
Additional Details
Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.
The worm attempts to disable several security-related programs.
Installation
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder.
The worm installs the following registry key for ensuring it will be started on system startup:
Propagation (E-mail)
The worm collects e-mail addresses from files with following extensions:
And from the files with the following string in name:
The worm sends itself as attachment in the infected e-mail.
The e-mail subject is one the following:
The message body may be one of the following:
The worm can attach itself as executable file. It uses one the following names in attachment:
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
The filename inside MIME-encoding is one of the following:
Propagation (Shared Folders)
The worm searches for remote shared folders and tries to copy itself using one of the following filenames:
The worm attempts to disable several security-related programs.
Installation
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
- %Windows%\rundll16.exe
- %System%\scanregw.exe
- %System%\Update.exe
- %System%\Winzip.exe
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder.
The worm installs the following registry key for ensuring it will be started on system startup:
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "%System%\scanregw.exe"
Propagation (E-mail)
The worm collects e-mail addresses from files with following extensions:
- .HTM
- .DBX
- .EML
- .MSG
- .OFT
- .NWS
- .VCF
- .MBX
- .IMH
- .TXT
- .MSF
And from the files with the following string in name:
- CONTENT
- TEMPORARY
The worm sends itself as attachment in the infected e-mail.
The e-mail subject is one the following:
- The Best Videoclip Ever
- School girl fantasies gone bad
- A Great Video
- F* Kama Sutra pics
- Arab sex DSC-00465.jpg
- give me a kiss
- *Hot Movie*
- Fw: Funny :)
- Fwd: Photo
- Fwd: image.jpg
- Fw: Sexy
- Re:
- Fw:
- Part 1 of 6 Video clipe
- You Must View This Videoclip!
- Miss Lebanon 2006
- Re: Sex Video
- My photos
The message body may be one of the following:
- Note: forwarded message attached.
- Hot XXX Yahoo Groups
- F* Kama Sutra pics
- ready to be F*CKED ;)
- Note: forwarded message attached.
- forwarded message attached.
- VIDEOS! FREE! (US$ 0,00)
- i attached the details. Thank you.
- >> forwarded message
- ----- forwarded message -----
- i just any one see my photos. It's Free :)
The worm can attach itself as executable file. It uses one the following names in attachment:
- 007.pif
- School.pif
- 04.pif
- photo.pif
- DSC-00465.Pif
- image04.pif
- 677.pif
- New_Document_file.pif
- eBook.PIF
- document.pif
- DSC-00465.pIf
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
- Attachments[001].B64
- 3.92315089702606E02.UUE
- SeX.mim
- Original Message.B64
- WinZip.BHX
- eBook.Uu
- Word_Document.hqx
- Word_Document.uu
The filename inside MIME-encoding is one of the following:
- Attachments[001].B64 [spaces] .sCR
- 3.92315089702606E02.UUE [spaces] .sCR
- SeX,zip [spaces] .sCR
- WinZip.zip [spaces] .sCR
- ATT01.zip [spaces] .sCR
- WinZip.zip [spaces] .sCR
- Word.zip [spaces] .sCR
- Word XP.zip [spaces] .sCR
Propagation (Shared Folders)
The worm searches for remote shared folders and tries to copy itself using one of the following filenames:
- \Admin$\WINZIP_TMP.exe
- \c$\WINZIP_TMP.exe
- \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe