Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:
The worm collects e-mail addresses from files with following extensions:
And from the files with the following string in name:
The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:
The message body may be one of the following:
The worm can attach itself as executable file. It uses one the following names in attachment:
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
The filename inside MIME-encoding is one of the following:
Propagation (Shared Folders)
The worm searches for remote shared folders and tries to copy itself using one of the following filenames: