Additional Details
Upon execution, VB.AS, detected as Email-Worm.Win32.VB.as, displays a fake message: "File Error: [number]".
It then creates copies of itself in the following folders as:
%Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
- Horror.vbe
- LSASS.exe
- Service.exe
- SVCHOST.exe
- Winword.exe
%SystemDrive% - (usually C:\ )
It also creates the following registry entries to automatically launch when Windows starts:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
AVPScaner "C:\Documents and Settings\[user]\Local Settings\Temp\"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HostNet Service "C:\Documents and Settings\[user]\Local Settings\Temp\"
Additional registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Symantecs\Ver]
Ver " 50"
It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\FileList]
List of htm files scanned for e-mail addresses
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressList]
List of e-mail addresses gathered
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Names]
List of gathered names from the e-mail addresses (ex. 'myname@' from myname@domain.com)
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Servers]
List of gathered domain name the e-mail addresses (ex. 'domain.com from myname@domain.com)
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressAlList]
List of all possible combination of e-mail addresses based from the gathered names and domains
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Activar]
Indicates that the malware is active
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Scaneado]
Indicates that the malware has performed scan
Notes:
%Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
%SystemDrive% - usually C:\
[user] - is the current user