VB.AS

Threat description

Details

CATEGORYMalware
TYPETrojan

Summary

VB.AS, a variant of VB, is a Trojan. VB.AS collects e-mail addresses and is used by spammers to send e-mails from infected computers. VB.AS modifies registry keys and shows fake error messages.



Removal

Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Upon execution, VB.AS, detected as Email-Worm.Win32.VB.as, displays a fake message: "File Error: [number]".

It then creates copies of itself in the following folders as:

  • %Temp% - (usually C:\Documents and Settings\[user]\Local Settings\Temp\ )
    • Horror.vbe
    • LSASS.exe
    • Service.exe
    • SVCHOST.exe
    • Winword.exe
  • %SystemDrive% - (usually C:\ )
    • COMAND.com
    • Spiderman.exe

It also creates the following registry entries to automatically launch when Windows starts:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] AVPScaner "C:\Documents and Settings\[user]\Local Settings\Temp\"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] HostNet Service "C:\Documents and Settings\[user]\Local Settings\Temp\"

Additional registry entry:

  • [HKEY_CURRENT_USER\Software\Microsoft\Symantecs\Ver] Ver " 50"

It also searches for possible e-mail addresses from all htm files found on the harddrive. All gathered data will be saved in the registry as follows:

  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\FileList] List of htm files scanned for e-mail addresses
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressList] List of e-mail addresses gathered
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Names] List of gathered names from the e-mail addresses (ex. 'myname@' from myname@domain.com)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Servers] List of gathered domain name the e-mail addresses (ex. 'domain.com from myname@domain.com)
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\AdressAlList] List of all possible combination of e-mail addresses based from the gathered names and domains
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Activar] Indicates that the malware is active
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Records\Scaneado] Indicates that the malware has performed scan

Notes:

  • %Temp% - usually C:\Documents and Settings\[user]\Local Settings\Temp\
  • %SystemDrive% - usually C:\
  • [user] - is the current user

Description Created: 2006-10-04 08:15:33.0

Description Last Modified: 2006-10-04 16:06:56.0

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info