Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


VB.AS


Aliases:


Email-Worm.Win32.VB.as
Worm.Gasop.B
W32.Berlity@mm
Email-Worm:W32/VB.as
Worm/VB.AS.11
W32/Gasop@MM

Malware
Trojan
W32

Summary

VB.AS, a variant of VB, is a Trojan. VB.AS collects e-mail addresses and is used by spammers to send e-mails from infected computers. VB.AS modifies registry keys and shows fake error messages.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Upon execution, VB.AS, detected as Email-Worm.Win32.VB.as, displays a fake message: "File Error: [number]".

It then creates copies of itself in the following folders as:

  • %Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
    • Horror.vbe
    • LSASS.exe
    • Service.exe
    • SVCHOST.exe
    • Winword.exe
  • %SystemDrive% - (usually C:\ )
    • COMAND.com
    • Spiderman.exe

It also creates the following registry entries to automatically launch when Windows starts:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] AVPScaner "C:\Documents and Settings\[user]\Local Settings\Temp\"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] HostNet Service "C:\Documents and Settings\[user]\Local Settings\Temp\"

Additional registry entry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Symantecs\Ver] Ver " 50"

It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\FileList] List of htm files scanned for e-mail addresses
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressList] List of e-mail addresses gathered
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Names] List of gathered names from the e-mail addresses (ex. 'myname@' from myname@domain.com)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Servers] List of gathered domain name the e-mail addresses (ex. 'domain.com from myname@domain.com)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressAlList] List of all possible combination of e-mail addresses based from the gathered names and domains
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Activar] Indicates that the malware is active
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Scaneado] Indicates that the malware has performed scan

Notes:

  • %Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
  • %SystemDrive% - usually C:\
  • [user] - is the current user




Description Created: 2006-10-04 08:15:33.0
Description Last Modified: 2006-10-04 16:06:56.0



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.