Threat Description

Email-Worm:​W32/VB.BI

Details

Aliases:WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.Nyxem.e, W32.Blackmal.E@mm, Blackmail
Category:Malware
Type:Email-Worm
Platform:W32

Summary



A worm that spreads via e-mail, usually in infected executable e-mail file attachments.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

  • %Windows%\rundll16.exe
  • %System%\scanregw.exe
  • %System%\Update.exe
  • %System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (E-mail)

The worm collects e-mail addresses from files with following extensions:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF

And from the files with the following string in name:

  • CONTENT
  • TEMPORARY

The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:

  • The Best Videoclip Ever
  • School girl fantasies gone bad
  • A Great Video
  • F* Kama Sutra pics
  • Arab sex DSC-00465.jpg
  • give me a kiss
  • *Hot Movie*
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Re:
  • Fw:
  • Part 1 of 6 Video clipe
  • You Must View This Videoclip!
  • Miss Lebanon 2006
  • Re: Sex Video
  • My photos

The message body may be one of the following:

  • Note: forwarded message attached.
  • Hot XXX Yahoo Groups
  • F* Kama Sutra pics
  • ready to be F*CKED ;)
  • Note: forwarded message attached.
  • forwarded message attached.
  • VIDEOS! FREE! (US$ 0,00)
  • i attached the details. Thank you.
  • >> forwarded message
  • ----- forwarded message -----
  • i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

  • 007.pif
  • School.pif
  • 04.pif
  • photo.pif
  • DSC-00465.Pif
  • image04.pif
  • 677.pif
  • New_Document_file.pif
  • eBook.PIF
  • document.pif
  • DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

  • Attachments[001].B64
  • 3.92315089702606E02.UUE
  • SeX.mim
  • Original Message.B64
  • WinZip.BHX
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu

The filename inside MIME-encoding is one of the following:

  • Attachments[001].B64 [spaces] .sCR
  • 3.92315089702606E02.UUE [spaces] .sCR
  • SeX,zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • ATT01.zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • Word.zip [spaces] .sCR
  • Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

  • \Admin$\WINZIP_TMP.exe
  • \c$\WINZIP_TMP.exe
  • \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More