Email-Worm: W32/VB.BI

Summary

---

A worm that spreads via e-mail, usually in infected executable e-mail file attachments.

Removal

---

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

• Eliminating a Local Network Outbreak

Technical Details

---

Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

• %Windows%\rundll16.exe
• %System%\scanregw.exe
• %System%\Update.exe
• %System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (E-mail)

The worm collects e-mail addresses from files with following extensions:

• .HTM
• .DBX
• .EML
• .MSG
• .OFT
• .NWS
• .VCF
• .MBX
• .IMH
• .TXT
• .MSF

And from the files with the following string in name:

• CONTENT
• TEMPORARY

The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:

• The Best Videoclip Ever
• School girl fantasies gone bad
• A Great Video
• F* Kama Sutra pics
• Arab sex DSC-00465.jpg
• give me a kiss
• *Hot Movie*
• Fw: Funny :)
• Fwd: Photo
• Fwd: image.jpg
• Fw: Sexy
• Re:
• Fw:
• Part 1 of 6 Video clipe
• You Must View This Videoclip!
• Miss Lebanon 2006
• Re: Sex Video
• My photos

The message body may be one of the following:

• Note: forwarded message attached.
• Hot XXX Yahoo Groups
• F* Kama Sutra pics
• ready to be F*CKED ;)
• Note: forwarded message attached.
• forwarded message attached.
• VIDEOS! FREE! (US$ 0,00)
• i attached the details. Thank you.
• >> forwarded message
• ----- forwarded message -----
• i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

• 007.pif
• School.pif
• 04.pif
• photo.pif
• DSC-00465.Pif
• image04.pif
• 677.pif
• New_Document_file.pif
• eBook.PIF
• document.pif
• DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

• Attachments[001].B64
• 3.92315089702606E02.UUE
• SeX.mim
• Original Message.B64
• WinZip.BHX
• eBook.Uu
• Word_Document.hqx
• Word_Document.uu

The filename inside MIME-encoding is one of the following:

• Attachments[001].B64 [spaces] .sCR
• 3.92315089702606E02.UUE [spaces] .sCR
• SeX,zip [spaces] .sCR
• WinZip.zip [spaces] .sCR
• ATT01.zip [spaces] .sCR
• WinZip.zip [spaces] .sCR
• Word.zip [spaces] .sCR
• Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

• \Admin$\WINZIP_TMP.exe
• \c$\WINZIP_TMP.exe
• \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

Description Created: 2006-01-18 11:22:22.0

Description Last Modified: 2010-07-28 05:43:34.0