Threat Description

Email-Worm:​W32/​VB.BI

Details

Aliases: WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.Nyxem.e, W32.Blackmal.E@mm, Blackmail
Category: Malware
Type: Email-Worm
Platform: W32

Summary


A worm that spreads via e-mail, usually in infected executable e-mail file attachments.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details


Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

  • %Windows%\rundll16.exe
  • %System%\scanregw.exe
  • %System%\Update.exe
  • %System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"
Propagation (E-mail)

The worm collects e-mail addresses from files with following extensions:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF

And from the files with the following string in name:

  • CONTENT
  • TEMPORARY

The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:

  • The Best Videoclip Ever
  • School girl fantasies gone bad
  • A Great Video
  • F* Kama Sutra pics
  • Arab sex DSC-00465.jpg
  • give me a kiss
  • *Hot Movie*
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Re:
  • Fw:
  • Part 1 of 6 Video clipe
  • You Must View This Videoclip!
  • Miss Lebanon 2006
  • Re: Sex Video
  • My photos

The message body may be one of the following:

  • Note: forwarded message attached.
  • Hot XXX Yahoo Groups
  • F* Kama Sutra pics
  • ready to be F*CKED ;)
  • Note: forwarded message attached.
  • forwarded message attached.
  • VIDEOS! FREE! (US$ 0,00)
  • i attached the details. Thank you.
  • >> forwarded message
  • ----- forwarded message -----
  • i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

  • 007.pif
  • School.pif
  • 04.pif
  • photo.pif
  • DSC-00465.Pif
  • image04.pif
  • 677.pif
  • New_Document_file.pif
  • eBook.PIF
  • document.pif
  • DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

  • Attachments[001].B64
  • 3.92315089702606E02.UUE
  • SeX.mim
  • Original Message.B64
  • WinZip.BHX
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu

The filename inside MIME-encoding is one of the following:

  • Attachments[001].B64 [spaces] .sCR
  • 3.92315089702606E02.UUE [spaces] .sCR
  • SeX,zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • ATT01.zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • Word.zip [spaces] .sCR
  • Word XP.zip [spaces] .sCR
Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

  • \Admin$\WINZIP_TMP.exe
  • \c$\WINZIP_TMP.exe
  • \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe




Description Created: 2006-01-18 11:22:22.0

Description Last Modified: 2010-07-28 05:43:34.0


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More