Summary
A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Removal
Automatic action
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More scanning & removal options
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Technical Details
Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.
Installation
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
- %Windows%\rundll16.exe
- %System%\scanregw.exe
- %System%\Update.exe
- %System%\Winzip.exe
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:
- [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"
Propagation (E-mail)
The worm collects e-mail addresses from files with following extensions:
- .HTM
- .DBX
- .EML
- .MSG
- .OFT
- .NWS
- .VCF
- .MBX
- .IMH
- .TXT
- .MSF
And from the files with the following string in name:
- CONTENT
- TEMPORARY
The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:
- The Best Videoclip Ever
- School girl fantasies gone bad
- A Great Video
- F* Kama Sutra pics
- Arab sex DSC-00465.jpg
- give me a kiss
- *Hot Movie*
- Fw: Funny :)
- Fwd: Photo
- Fwd: image.jpg
- Fw: Sexy
- Re:
- Fw:
- Part 1 of 6 Video clipe
- You Must View This Videoclip!
- Miss Lebanon 2006
- Re: Sex Video
- My photos
The message body may be one of the following:
- Note: forwarded message attached.
- Hot XXX Yahoo Groups
- F* Kama Sutra pics
- ready to be F*CKED ;)
- Note: forwarded message attached.
- forwarded message attached.
- VIDEOS! FREE! (US$ 0,00)
- i attached the details. Thank you.
- >> forwarded message
- ----- forwarded message -----
- i just any one see my photos. It's Free :)
The worm can attach itself as executable file. It uses one the following names in attachment:
- 007.pif
- School.pif
- 04.pif
- photo.pif
- DSC-00465.Pif
- image04.pif
- 677.pif
- New_Document_file.pif
- eBook.PIF
- document.pif
- DSC-00465.pIf
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
- Attachments[001].B64
- 3.92315089702606E02.UUE
- SeX.mim
- Original Message.B64
- WinZip.BHX
- eBook.Uu
- Word_Document.hqx
- Word_Document.uu
The filename inside MIME-encoding is one of the following:
- Attachments[001].B64 [spaces] .sCR
- 3.92315089702606E02.UUE [spaces] .sCR
- SeX,zip [spaces] .sCR
- WinZip.zip [spaces] .sCR
- ATT01.zip [spaces] .sCR
- WinZip.zip [spaces] .sCR
- Word.zip [spaces] .sCR
- Word XP.zip [spaces] .sCR
Propagation (Shared Folders)
The worm searches for remote shared folders and tries to copy itself using one of the following filenames:
- \Admin$\WINZIP_TMP.exe
- \c$\WINZIP_TMP.exe
- \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe
Description Created: 2006-01-18 11:22:22.0
Description Last Modified: 2010-07-28 05:43:34.0