Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Email-Worm:W32/VB.BI


Aliases:


WORM_GREW.A
W32/Nyxem-D
Email-Worm.Win32.Nyxem.e
W32.Blackmal.E@mm
Blackmail

Malware
Email-Worm
W32

Summary

A worm that spreads via e-mail, usually in infected executable e-mail file attachments.



Disinfection & Removal


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.


Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details

Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.


Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

  • %Windows%\rundll16.exe
  • %System%\scanregw.exe
  • %System%\Update.exe
  • %System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (E-mail)

The worm collects e-mail addresses from files with following extensions:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF

And from the files with the following string in name:

  • CONTENT
  • TEMPORARY

The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:

  • The Best Videoclip Ever
  • School girl fantasies gone bad
  • A Great Video
  • F* Kama Sutra pics
  • Arab sex DSC-00465.jpg
  • give me a kiss
  • *Hot Movie*
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Re:
  • Fw:
  • Part 1 of 6 Video clipe
  • You Must View This Videoclip!
  • Miss Lebanon 2006
  • Re: Sex Video
  • My photos

The message body may be one of the following:

  • Note: forwarded message attached.
  • Hot XXX Yahoo Groups
  • F* Kama Sutra pics
  • ready to be F*CKED ;)
  • Note: forwarded message attached.
  • forwarded message attached.
  • VIDEOS! FREE! (US$ 0,00)
  • i attached the details. Thank you.
  • >> forwarded message
  • ----- forwarded message -----
  • i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

  • 007.pif
  • School.pif
  • 04.pif
  • photo.pif
  • DSC-00465.Pif
  • image04.pif
  • 677.pif
  • New_Document_file.pif
  • eBook.PIF
  • document.pif
  • DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

  • Attachments[001].B64
  • 3.92315089702606E02.UUE
  • SeX.mim
  • Original Message.B64
  • WinZip.BHX
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu

The filename inside MIME-encoding is one of the following:

  • Attachments[001].B64 [spaces] .sCR
  • 3.92315089702606E02.UUE [spaces] .sCR
  • SeX,zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • ATT01.zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • Word.zip [spaces] .sCR
  • Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

  • \Admin$\WINZIP_TMP.exe
  • \c$\WINZIP_TMP.exe
  • \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe




Description Created: 2006-01-18 11:22:22.0
Description Last Modified: 2010-07-28 05:43:34.0



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.