Threat Description

VB.AS

Details

Aliases: Email-Worm.Win32.VB.as, Worm.Gasop.B, W32.Berlity@mm, Email-Worm:​W32/VB.as, Worm/VB.AS.11, W32/Gasop@MM
Category: Malware
Type: Trojan
Platform: W32

Summary



VB.AS, a variant of VB, is a Trojan. VB.AS collects e-mail addresses and is used by spammers to send e-mails from infected computers. VB.AS modifies registry keys and shows fake error messages.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Upon execution, VB.AS, detected as Email-Worm.Win32.VB.as, displays a fake message: "File Error: [number]".

It then creates copies of itself in the following folders as:

  • %Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
    • Horror.vbe
    • LSASS.exe
    • Service.exe
    • SVCHOST.exe
    • Winword.exe
  • %SystemDrive% - (usually C:\ )
    • COMAND.com
    • Spiderman.exe

It also creates the following registry entries to automatically launch when Windows starts:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] AVPScaner "C:\Documents and Settings\[user]\Local Settings\Temp\"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] HostNet Service "C:\Documents and Settings\[user]\Local Settings\Temp\"

Additional registry entry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Symantecs\Ver] Ver " 50"

It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\FileList] List of htm files scanned for e-mail addresses
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressList] List of e-mail addresses gathered
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Names] List of gathered names from the e-mail addresses (ex. 'myname@' from myname@domain.com)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Servers] List of gathered domain name the e-mail addresses (ex. 'domain.com from myname@domain.com)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressAlList] List of all possible combination of e-mail addresses based from the gathered names and domains
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Activar] Indicates that the malware is active
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Scaneado] Indicates that the malware has performed scan

Notes:

  • %Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
  • %SystemDrive% - usually C:\
  • [user] - is the current user





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More