VB.AS, a variant of VB, is a Trojan. VB.AS collects e-mail addresses and is used by spammers to send e-mails from infected computers. VB.AS modifies registry keys and shows fake error messages.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Upon execution, VB.AS, detected as Email-Worm.Win32.VB.as, displays a fake message: "File Error: [number]".
It then creates copies of itself in the following folders as:
- %Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
- %SystemDrive% - (usually C:\ )
It also creates the following registry entries to automatically launch when Windows starts:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] AVPScaner "C:\Documents and Settings\[user]\Local Settings\Temp\"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] HostNet Service "C:\Documents and Settings\[user]\Local Settings\Temp\"
Additional registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Symantecs\Ver] Ver " 50"
It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\FileList] List of htm files scanned for e-mail addresses
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressList] List of e-mail addresses gathered
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Names] List of gathered names from the e-mail addresses (ex. 'myname@' from email@example.com)
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Servers] List of gathered domain name the e-mail addresses (ex. 'domain.com from firstname.lastname@example.org)
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressAlList] List of all possible combination of e-mail addresses based from the gathered names and domains
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Activar] Indicates that the malware is active
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Scaneado] Indicates that the malware has performed scan
- %Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
- %SystemDrive% - usually C:\
- [user] - is the current user