Email-Worm:W32/VB.FW

This mass mailing worm attempts to send copies of itself to email addresses harvested from the infected system. Upon execution it creates copies of itself to the following locations:

• %startup%\adodb.cmd
• %system%\%number%.exe
• %system%\%number%\%number%.cmd
• %system%\moonlight.scr
• %userprofile%\Templates\%number%\%number%.exe
• %userprofile%\Templates\%number%\service.exe
• %userprofile%\Templates\%number%\winlogon.exe
• %windows%\%number%.exe
• %windows%\%number%.exe
• %windows%\%number%\%number%.com
• %windows%\%number%\smss.exe
• %windows%\%number%\system.exe
• %windows%\lsass.exe

The following clean files are also dropped on the system:

• %system%\crtsys.dll
• %windows%\MoonLight.tx
• %windows%\system\msvbvm60.dll

To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools=dword:00000001
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %number%="%system%\%number%.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %number%="%WINDOWS%\%number%.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\msconfig.exe debugger="%windows%\notepad.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\regedit.exe debugger="%windows%\notepad.exe"
• HKEY_CLASSES_ROOT\exefile default="File Folder"
• HKEY_CLASSES_ROOT\scrfile default="File Folder"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden=dword:00000000
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt=dword:00000001
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState FullPath=dword:00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile default="File Folder"
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile default="File Folder"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden UncheckedValue=dword:00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Startup = "%system%\%number%"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell="explorer.exe, "%userprofile%\Templates\%number%\%number%.exe""
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot AlternateShell="%number%.exe"

The worm then deletes registry keys with following strings:

• ADie suka kamu
• AllMyBallance
• Alumni Smansa
• AutoSupervisor
• BabelPath
• Bron-Spizaetus
• Bron-Spizaetus-cfirltrx
• Bron-Spizaetus-cgglmmrv
• CueX44_stil_here
• dago
• dkernel
• DllHost
• Driver
• drv_st_key
• lexplorer
• MomentEverComes
• MSMSG
• norman zanda
• norman_zanda
• Pluto
• Putri_Bangka
• Putri_Indonesia
• SaTRio ADie X
• service
• SMA_nya_Artika
• SMAN1_Pangkalpinang
• SysDiaz
• SysRia
• SysYuni
• Task
• templog
• Tok-Cirrhatus
• Tok-Cirrhatus-1101
• TryingToSpeak
• ViriSetup
• Winamp
• winfix
• WinUpdateSupervisor
• Word
• YourUnintended
• YourUnintendes

It deletes the files matching the following:

• \ShellNew\*.exe
• CintaButa*
• eksplorasi*
• FirstLove.exe*
• KesenjanganSosial.exe
• MyHeart.exe
• Romantic*

P2P Propagation

While Traversing directories, the malware monitors if the folder contains any of the following strings:

• download
• upload
• share

It then copies itself to these directories using the following file names:

• BlueFilm.exe
• Data %username%.exe
• Foto %username%.exe
• Gudang Lagu.exe
• JanganDibuka.exe
• New Folder(2).exe
• New Folder.exe
• Porn %username%.exe
• Program TA.scr
• Wallpeper.scr

It copies itself to all folders as:

• \%foldername%\%foldername%.exe

email Propagation

The malware arrives as an attachment to email message. The subject line uses one of the following strings:

• Agnes Monica pic's
• Cek This
• Fucking With Me :D
• hello
• hey Indonesian porn
• Hot ...
• Japannes Porn
• miss Indonesian
• Tolong
• Tolong Aku..

The from field uses one of the following:

• admin
• Agnes
• Ami
• Anata
• astaga
• boleh
• Cicilia
• Claudia
• CoolMan
• Davis
• Emily
• Fransisca
• Fransiska
• Fria
• gaul
• HellSpawn
• Hilda
• Ida
• indo
• Joe
• Julia
• JuwitaNingrum
• Lanelitta
• Lia
• Linda
• Nadine
• Nana
• Natalia
• PLASA
• Riri
• Rita
• sasuke
• SaZZA
• sisilia
• Susi
• telkom
• Titta
• untukmu2
• Valentina
• Vivi
• warung

The body of the message contains one of the following strings:

• aku mahasiswa BSI Margonda smt 4
• Aku Mencari Wanita yang aku Cintai
• dan cara menggunakan email mass
• di lampiran ini terdapat curriculum vittae dan foto saya
• foto dan data Wanita tsb Thank's
• ini adalah cara terakhirku ,di lampiran ini terdapat
• NB:Mohon di teruskan kesahabat anda
• oh ya aku tahu anda dr milis ilmu komputer
• please read again what i have written to you
• yah aku sedang membutuhkan pekerjaan

The attachment is named one of the following:

• Doc.gz
• file.bz2
• hell.zip
• Miyabi.zip
• nadine.ace
• need you.jar
• thisfile.gz
• video.bz2

The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:

• ASP
• EML
• HTML
• JS
• PHP
• PL
• RTF
• SPX
• TML
• TXT

The malware avoids certain addresses; those using the any of the following strings:

• avira
• mcafee
• microsoft
• MoonMail
• nipsvc
• norman
• Norman NJeeves
• Norman Zanda
• norton
• novell
• nvcoas
• panda
• security
• sophos
• suport
• Syman
• Trend
• vaksin
• virus
• virus
• www.
• yourdomain
• yoursite

The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient email server, prepending the target domain name with the following strings:

• gate.
• mail.
• mail1.
• mx.
• mx1.
• mxs.
• ns1.
• relay.
• smtp.

Payload

The malware drops a payload file that contains the following text:

• :: I-Worm.MoonLight.J :: Indonesian VM Society Created By HellsPawn a.K.a B4bb1Cool Can't You Handle It Don't Panic , all of data are safe

Denial of Service

It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:

• www.bp.com
• www.bsi.ac.id
• www.vaksin.com

Keylogger

The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.

Backdoor

With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.

Process Termination

In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:

• bront
• cmd
• command
• currprocess
• dengines
• filewalker
• OfficeSystem
• Process Explorer
• Process mon
• regedit
• Restore
• Romantic
• security task manager
• sensasi