A worm that spreads via email, usually in infected executable email file attachments.
If the infection is in a local network, please follow the instructions on this webpage:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:
The worm collects email addresses from files with following extensions:
And from the files with the following string in name:
The worm sends itself as attachment in the infected email. The email subject is one the following:
The message body may be one of the following:
The worm can attach itself as executable file. It uses one the following names in attachment:
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
The filename inside MIME-encoding is one of the following:
The worm searches for remote shared folders and tries to copy itself using one of the following filenames:
Description Created: 2006-01-18 11:22:22.0
Description Last Modified: 2010-07-28 05:43:34.0