Summary
Email-Worm:W32/VB.FW is a type of worm that uses email as its spreading vector.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
- Check for the latest database updatesFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.
- Submit a sampleAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
- Exclude a file from further scanningIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.Note: You need administrative rights to change the settings.
Technical Details
This mass mailing worm attempts to send copies of itself to email addresses harvested from the infected system. Upon execution it creates copies of itself to the following locations:
- %startup%\adodb.cmd
- %system%\%number%.exe
- %system%\%number%\%number%.cmd
- %system%\moonlight.scr
- %userprofile%\Templates\%number%\%number%.exe
- %userprofile%\Templates\%number%\service.exe
- %userprofile%\Templates\%number%\winlogon.exe
- %windows%\%number%.exe
- %windows%\%number%.exe
- %windows%\%number%\%number%.com
- %windows%\%number%\smss.exe
- %windows%\%number%\system.exe
- %windows%\lsass.exe
The following clean files are also dropped on the system:
- %system%\crtsys.dll
- %windows%\MoonLight.tx
- %windows%\system\msvbvm60.dll
To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools=dword:00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %number%="%system%\%number%.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %number%="%WINDOWS%\%number%.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\msconfig.exe debugger="%windows%\notepad.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\regedit.exe debugger="%windows%\notepad.exe"
- HKEY_CLASSES_ROOT\exefile default="File Folder"
- HKEY_CLASSES_ROOT\scrfile default="File Folder"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden=dword:00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt=dword:00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState FullPath=dword:00000001
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile default="File Folder"
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile default="File Folder"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden UncheckedValue=dword:00000000
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Startup = "%system%\%number%"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell="explorer.exe, "%userprofile%\Templates\%number%\%number%.exe""
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot AlternateShell="%number%.exe"
The worm then deletes registry keys with following strings:
- ADie suka kamu
- AllMyBallance
- Alumni Smansa
- AutoSupervisor
- BabelPath
- Bron-Spizaetus
- Bron-Spizaetus-cfirltrx
- Bron-Spizaetus-cgglmmrv
- CueX44_stil_here
- dago
- dkernel
- DllHost
- Driver
- drv_st_key
- lexplorer
- MomentEverComes
- MSMSG
- norman zanda
- norman_zanda
- Pluto
- Putri_Bangka
- Putri_Indonesia
- SaTRio ADie X
- service
- SMA_nya_Artika
- SMAN1_Pangkalpinang
- SysDiaz
- SysRia
- SysYuni
- Task
- templog
- Tok-Cirrhatus
- Tok-Cirrhatus-1101
- TryingToSpeak
- ViriSetup
- Winamp
- winfix
- WinUpdateSupervisor
- Word
- YourUnintended
- YourUnintendes
It deletes the files matching the following:
- \ShellNew\*.exe
- CintaButa*
- eksplorasi*
- FirstLove.exe*
- KesenjanganSosial.exe
- MyHeart.exe
- Romantic*
P2P Propagation
While Traversing directories, the malware monitors if the folder contains any of the following strings:
- download
- upload
- share
It then copies itself to these directories using the following file names:
- BlueFilm.exe
- Data %username%.exe
- Foto %username%.exe
- Gudang Lagu.exe
- JanganDibuka.exe
- New Folder(2).exe
- New Folder.exe
- Porn %username%.exe
- Program TA.scr
- Wallpeper.scr
It copies itself to all folders as:
- \%foldername%\%foldername%.exe
email Propagation
The malware arrives as an attachment to email message. The subject line uses one of the following strings:
- Agnes Monica pic's
- Cek This
- Fucking With Me :D
- hello
- hey Indonesian porn
- Hot ...
- Japannes Porn
- miss Indonesian
- Tolong
- Tolong Aku..
The from field uses one of the following:
- admin
- Agnes
- Ami
- Anata
- astaga
- boleh
- Cicilia
- Claudia
- CoolMan
- Davis
- Emily
- Fransisca
- Fransiska
- Fria
- gaul
- HellSpawn
- Hilda
- Ida
- indo
- Joe
- Julia
- JuwitaNingrum
- Lanelitta
- Lia
- Linda
- Nadine
- Nana
- Natalia
- PLASA
- Riri
- Rita
- sasuke
- SaZZA
- sisilia
- Susi
- telkom
- Titta
- untukmu2
- Valentina
- Vivi
- warung
The body of the message contains one of the following strings:
- aku mahasiswa BSI Margonda smt 4
- Aku Mencari Wanita yang aku Cintai
- dan cara menggunakan email mass
- di lampiran ini terdapat curriculum vittae dan foto saya
- foto dan data Wanita tsb Thank's
- ini adalah cara terakhirku ,di lampiran ini terdapat
- NB:Mohon di teruskan kesahabat anda
- oh ya aku tahu anda dr milis ilmu komputer
- please read again what i have written to you
- yah aku sedang membutuhkan pekerjaan
The attachment is named one of the following:
- Doc.gz
- file.bz2
- hell.zip
- Miyabi.zip
- nadine.ace
- need you.jar
- thisfile.gz
- video.bz2
The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:
- ASP
- EML
- HTML
- JS
- PHP
- PL
- RTF
- SPX
- TML
- TXT
The malware avoids certain addresses; those using the any of the following strings:
- avira
- mcafee
- microsoft
- MoonMail
- nipsvc
- norman
- Norman NJeeves
- Norman Zanda
- norton
- novell
- nvcoas
- panda
- security
- sophos
- suport
- Syman
- Trend
- vaksin
- virus
- virus
- www.
- yourdomain
- yoursite
The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient email server, prepending the target domain name with the following strings:
- gate.
- mail.
- mail1.
- mx.
- mx1.
- mxs.
- ns1.
- relay.
- smtp.
Payload
The malware drops a payload file that contains the following text:
- :: I-Worm.MoonLight.J :: Indonesian VM Society Created By HellsPawn a.K.a B4bb1Cool Can't You Handle It Don't Panic , all of data are safe
Denial of Service
It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:
- www.bp.com
- www.bsi.ac.id
- www.vaksin.com
Keylogger
The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.
Backdoor
With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.
Process Termination
In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:
- bront
- cmd
- command
- currprocess
- dengines
- filewalker
- OfficeSystem
- Process Explorer
- Process mon
- regedit
- Restore
- Romantic
- security task manager
- sensasi
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
- Award‑winning antivirus and malware protection
- Online browsing, banking, and shopping protection
- 24/7 online identity and data breach monitoring
- Unlimited VPN service to safeguard your privacy
- Password manager with private data protection
Choose how many devices you want to protect to get started.
- Free customer support
- Cancel anytime
- The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.