F-Secure
Tools
VB.AS
Summary
VB.AS, a variant of VB, is a Trojan. VB.AS collects e-mail addresses and is used by spammers to send e-mails from infected computers. VB.AS modifies registry keys and shows fake error messages.
Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Additional Details
Upon execution, VB.AS, detected as Email-Worm.Win32.VB.as, displays a fake message: "File Error: [number]".
It then creates copies of itself in the following folders as:
%Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
%SystemDrive% - (usually C:\ )
It also creates the following registry entries to automatically launch when Windows starts:
Additional registry entry:
It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:
Notes:
%Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
%SystemDrive% - usually C:\
[user] - is the current user
It then creates copies of itself in the following folders as:
%Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
- Horror.vbe
- LSASS.exe
- Service.exe
- SVCHOST.exe
- Winword.exe
%SystemDrive% - (usually C:\ )
- COMAND.com
- Spiderman.exe
It also creates the following registry entries to automatically launch when Windows starts:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
AVPScaner "C:\Documents and Settings\[user]\Local Settings\Temp\" - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
HostNet Service "C:\Documents and Settings\[user]\Local Settings\Temp\"
Additional registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Symantecs\Ver]
Ver " 50"
It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\FileList]
List of htm files scanned for e-mail addresses - [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressList]
List of e-mail addresses gathered - [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Names]
List of gathered names from the e-mail addresses (ex. 'myname@' from myname@domain.com) - [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Servers]
List of gathered domain name the e-mail addresses (ex. 'domain.com from myname@domain.com) - [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressAlList]
List of all possible combination of e-mail addresses based from the gathered names and domains - [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Activar]
Indicates that the malware is active - [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Scaneado]
Indicates that the malware has performed scan
Notes:
%Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
%SystemDrive% - usually C:\
[user] - is the current user