Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Email-Worm:W32/VB.FW


Aliases:


Virus.Win32.vb.ky

Malware
Email-Worm
W32

Summary

Email-Worm:W32/VB.FW is a type of worm that uses e-mail as its spreading vector.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

This mass mailing worm attempts to send copies of itself to e-mail addresses harvested from the infected system. Upon execution it creates copies of itself to the following locations:

  • %startup%\adodb.cmd
  • %system%\%number%.exe
  • %system%\%number%\%number%.cmd
  • %system%\moonlight.scr
  • %userprofile%\Templates\%number%\%number%.exe
  • %userprofile%\Templates\%number%\service.exe
  • %userprofile%\Templates\%number%\winlogon.exe
  • %windows%\%number%.exe
  • %windows%\%number%.exe
  • %windows%\%number%\%number%.com
  • %windows%\%number%\smss.exe
  • %windows%\%number%\system.exe
  • %windows%\lsass.exe

The following clean files are also dropped on the system:

  • %system%\crtsys.dll
  • %windows%\MoonLight.tx
  • %windows%\system\msvbvm60.dll

To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools=dword:00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %number%="%system%\%number%.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %number%="%WINDOWS%\%number%.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\msconfig.exe debugger="%windows%\notepad.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\regedit.exe debugger="%windows%\notepad.exe"
  • HKEY_CLASSES_ROOT\exefile default="File Folder"
  • HKEY_CLASSES_ROOT\scrfile default="File Folder"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden=dword:00000000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt=dword:00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState FullPath=dword:00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile default="File Folder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile default="File Folder"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden UncheckedValue=dword:00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Startup = "%system%\%number%"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell="explorer.exe, "%userprofile%\Templates\%number%\%number%.exe""
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot AlternateShell="%number%.exe"

The worm then deletes registry keys with following strings:

  • ADie suka kamu
  • AllMyBallance
  • Alumni Smansa
  • AutoSupervisor
  • BabelPath
  • Bron-Spizaetus
  • Bron-Spizaetus-cfirltrx
  • Bron-Spizaetus-cgglmmrv
  • CueX44_stil_here
  • dago
  • dkernel
  • DllHost
  • Driver
  • drv_st_key
  • lexplorer
  • MomentEverComes
  • MSMSG
  • norman zanda
  • norman_zanda
  • Pluto
  • Putri_Bangka
  • Putri_Indonesia
  • SaTRio ADie X
  • service
  • SMA_nya_Artika
  • SMAN1_Pangkalpinang
  • SysDiaz
  • SysRia
  • SysYuni
  • Task
  • templog
  • Tok-Cirrhatus
  • Tok-Cirrhatus-1101
  • TryingToSpeak
  • ViriSetup
  • Winamp
  • winfix
  • WinUpdateSupervisor
  • Word
  • YourUnintended
  • YourUnintendes

It deletes the files matching the following:

  • \ShellNew\*.exe
  • CintaButa*
  • eksplorasi*
  • FirstLove.exe*
  • KesenjanganSosial.exe
  • MyHeart.exe
  • Romantic*

P2P Propagation

While Traversing directories, the malware monitors if the folder contains any of the following strings:

  • download
  • upload
  • share

It then copies itself to these directories using the following file names:

  • BlueFilm.exe
  • Data %username%.exe
  • Foto %username%.exe
  • Gudang Lagu.exe
  • JanganDibuka.exe
  • New Folder(2).exe
  • New Folder.exe
  • Porn %username%.exe
  • Program TA.scr
  • Wallpeper.scr

It copies itself to all folders as:

  • \%foldername%\%foldername%.exe

E-mail Propagation

The malware arrives as an attachment to e-mail message. The subject line uses one of the following strings:

  • Agnes Monica pic's
  • Cek This
  • Fucking With Me :D
  • hello
  • hey Indonesian porn
  • Hot ...
  • Japannes Porn
  • miss Indonesian
  • Tolong
  • Tolong Aku..

The from field uses one of the following:

  • admin
  • Agnes
  • Ami
  • Anata
  • astaga
  • boleh
  • Cicilia
  • Claudia
  • CoolMan
  • Davis
  • Emily
  • Fransisca
  • Fransiska
  • Fria
  • gaul
  • HellSpawn
  • Hilda
  • Ida
  • indo
  • Joe
  • Julia
  • JuwitaNingrum
  • Lanelitta
  • Lia
  • Linda
  • Nadine
  • Nana
  • Natalia
  • PLASA
  • Riri
  • Rita
  • sasuke
  • SaZZA
  • sisilia
  • Susi
  • telkom
  • Titta
  • untukmu2
  • Valentina
  • Vivi
  • warung

The body of the message contains one of the following strings:

  • aku mahasiswa BSI Margonda smt 4
  • Aku Mencari Wanita yang aku Cintai
  • dan cara menggunakan email mass
  • di lampiran ini terdapat curriculum vittae dan foto saya
  • foto dan data Wanita tsb Thank's
  • ini adalah cara terakhirku ,di lampiran ini terdapat
  • NB:Mohon di teruskan kesahabat anda
  • oh ya aku tahu anda dr milis ilmu komputer
  • please read again what i have written to you
  • yah aku sedang membutuhkan pekerjaan

The attachment is named one of the following:

  • Doc.gz
  • file.bz2
  • hell.zip
  • Miyabi.zip
  • nadine.ace
  • need you.jar
  • thisfile.gz
  • video.bz2

The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:

  • ASP
  • EML
  • HTML
  • JS
  • PHP
  • PL
  • RTF
  • SPX
  • TML
  • TXT

The malware avoids certain addresses; those using the any of the following strings:

  • avira
  • mcafee
  • microsoft
  • MoonMail
  • nipsvc
  • norman
  • Norman NJeeves
  • Norman Zanda
  • norton
  • novell
  • nvcoas
  • panda
  • security
  • sophos
  • suport
  • Syman
  • Trend
  • vaksin
  • virus
  • virus
  • www.
  • yourdomain
  • yoursite

The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient e-mail server, prepending the target domain name with the following strings:

  • gate.
  • mail.
  • mail1.
  • mx.
  • mx1.
  • mxs.
  • ns1.
  • relay.
  • smtp.

Payload

The malware drops a payload file that contains the following text:

  • :: I-Worm.MoonLight.J :: Indonesian VM Society Created By HellsPawn a.K.a B4bb1Cool Can't You Handle It Don't Panic , all of data are safe

Denial of Service

It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:

  • www.bp.com
  • www.bsi.ac.id
  • www.vaksin.com

Keylogger

The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.


Backdoor

With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.


Process Termination

In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:

  • bront
  • cmd
  • command
  • currprocess
  • dengines
  • filewalker
  • OfficeSystem
  • Process Explorer
  • Process mon
  • regedit
  • Restore
  • Romantic
  • security task manager
  • sensasi






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.