F-Secure
Tools
Email-Worm:W32/VB.FW
Summary
Email-Worm:W32/VB.FW is a type of worm that uses e-mail as its spreading vector.
Additional Details
This mass mailing worm attempts to send copies of itself to e-mail addresses harvested from the infected system.
Upon execution it creates copies of itself to the following locations:
The following clean files are also dropped on the system:
To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:
The worm then deletes registry keys with following strings:
It deletes the files matching the following:
P2P Propagation
While Traversing directories, the malware monitors if the folder contains any of the following strings:
It then copies itself to these directories using the following file names:
It copies itself to all folders as:
E-mail Propagation
The malware arrives as an attachment to e-mail message.
The subject line uses one of the following strings:
The from field uses one of the following:
The body of the message contains one of the following strings:
The attachment is named one of the following:
The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:
The malware avoids certain addresses; those using the any of the following strings:
The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient e-mail server, prepending the target domain name with the following strings:
Payload
The malware drops a payload file that contains the following text:
Denial of Service
It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:
Keylogger
The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.
Backdoor
With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.
Process Termination
In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:
Upon execution it creates copies of itself to the following locations:
- %startup%\adodb.cmd
- %system%\%number%.exe
- %system%\%number%\%number%.cmd
- %system%\moonlight.scr
- %userprofile%\Templates\%number%\%number%.exe
- %userprofile%\Templates\%number%\service.exe
- %userprofile%\Templates\%number%\winlogon.exe
- %windows%\%number%.exe
- %windows%\%number%.exe
- %windows%\%number%\%number%.com
- %windows%\%number%\smss.exe
- %windows%\%number%\system.exe
- %windows%\lsass.exe
The following clean files are also dropped on the system:
- %system%\crtsys.dll
- %windows%\MoonLight.tx
- %windows%\system\msvbvm60.dll
To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools=dword:00000001 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%number%="%system%\%number%.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%number%="%WINDOWS%\%number%.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Image File Execution Options\msconfig.exe
debugger="%windows%\notepad.exe" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Image File Execution Options\regedit.exe
debugger="%windows%\notepad.exe" - HKEY_CLASSES_ROOT\exefile
default="File Folder" - HKEY_CLASSES_ROOT\scrfile
default="File Folder" - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden=dword:00000000 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt=dword:00000001 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
FullPath=dword:00000001 - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile
default="File Folder" - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile
default="File Folder" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
UncheckedValue=dword:00000000 - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common Startup = "%system%\%number%" - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell="explorer.exe, "%userprofile%\Templates\%number%\%number%.exe"" - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
AlternateShell="%number%.exe"
The worm then deletes registry keys with following strings:
- ADie suka kamu
- AllMyBallance
- Alumni Smansa
- AutoSupervisor
- BabelPath
- Bron-Spizaetus
- Bron-Spizaetus-cfirltrx
- Bron-Spizaetus-cgglmmrv
- CueX44_stil_here
- dago
- dkernel
- DllHost
- Driver
- drv_st_key
- lexplorer
- MomentEverComes
- MSMSG
- norman zanda
- norman_zanda
- Pluto
- Putri_Bangka
- Putri_Indonesia
- SaTRio ADie X
- service
- SMA_nya_Artika
- SMAN1_Pangkalpinang
- SysDiaz
- SysRia
- SysYuni
- Task
- templog
- Tok-Cirrhatus
- Tok-Cirrhatus-1101
- TryingToSpeak
- ViriSetup
- Winamp
- winfix
- WinUpdateSupervisor
- Word
- YourUnintended
- YourUnintendes
It deletes the files matching the following:
- \ShellNew\*.exe
- CintaButa*
- eksplorasi*
- FirstLove.exe*
- KesenjanganSosial.exe
- MyHeart.exe
- Romantic*
P2P Propagation
While Traversing directories, the malware monitors if the folder contains any of the following strings:
- download
- upload
- share
It then copies itself to these directories using the following file names:
- BlueFilm.exe
- Data %username%.exe
- Foto %username%.exe
- Gudang Lagu.exe
- JanganDibuka.exe
- New Folder(2).exe
- New Folder.exe
- Porn %username%.exe
- Program TA.scr
- Wallpeper.scr
It copies itself to all folders as:
- \%foldername%\%foldername%.exe
E-mail Propagation
The malware arrives as an attachment to e-mail message.
The subject line uses one of the following strings:
- Agnes Monica pic's
- Cek This
- Fucking With Me :D
- hello
- hey Indonesian porn
- Hot ...
- Japannes Porn
- miss Indonesian
- Tolong
- Tolong Aku..
The from field uses one of the following:
- admin
- Agnes
- Ami
- Anata
- astaga
- boleh
- Cicilia
- Claudia
- CoolMan
- Davis
- Emily
- Fransisca
- Fransiska
- Fria
- gaul
- HellSpawn
- Hilda
- Ida
- indo
- Joe
- Julia
- JuwitaNingrum
- Lanelitta
- Lia
- Linda
- Nadine
- Nana
- Natalia
- PLASA
- Riri
- Rita
- sasuke
- SaZZA
- sisilia
- Susi
- telkom
- Titta
- untukmu2
- Valentina
- Vivi
- warung
The body of the message contains one of the following strings:
- aku mahasiswa BSI Margonda smt 4
- Aku Mencari Wanita yang aku Cintai
- dan cara menggunakan email mass
- di lampiran ini terdapat curriculum vittae dan foto saya
- foto dan data Wanita tsb Thank's
- ini adalah cara terakhirku ,di lampiran ini terdapat
- NB:Mohon di teruskan kesahabat anda
- oh ya aku tahu anda dr milis ilmu komputer
- please read again what i have written to you
- yah aku sedang membutuhkan pekerjaan
The attachment is named one of the following:
- Doc.gz
- file.bz2
- hell.zip
- Miyabi.zip
- nadine.ace
- need you.jar
- thisfile.gz
- video.bz2
The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:
- ASP
- EML
- HTML
- JS
- PHP
- PL
- RTF
- SPX
- TML
- TXT
The malware avoids certain addresses; those using the any of the following strings:
- avira
- mcafee
- microsoft
- MoonMail
- nipsvc
- norman
- Norman NJeeves
- Norman Zanda
- norton
- novell
- nvcoas
- panda
- security
- sophos
- suport
- Syman
- Trend
- vaksin
- virus
- virus
- www.
- yourdomain
- yoursite
The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient e-mail server, prepending the target domain name with the following strings:
- gate.
- mail.
- mail1.
- mx.
- mx1.
- mxs.
- ns1.
- relay.
- smtp.
Payload
The malware drops a payload file that contains the following text:
- :: I-Worm.MoonLight.J ::
Indonesian VM Society
Created By HellsPawn a.K.a B4bb1Cool
Can't You Handle It
Don't Panic , all of data are safe
Denial of Service
It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:
- www.bp.com
- www.bsi.ac.id
- www.vaksin.com
Keylogger
The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.
Backdoor
With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.
Process Termination
In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:
- bront
- cmd
- command
- currprocess
- dengines
- filewalker
- OfficeSystem
- Process Explorer
- Process mon
- regedit
- Restore
- Romantic
- security task manager
- sensasi