Email-Worm:W32/VB.BI

GO TO: Summary | Removal | Technical Details

Classification

Category: Malware

Type: Email-Worm

Platform: W32

Aliases: WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.Nyxem.e, W32.Blackmal.E@mm, Blackmail

Summary

A worm that spreads via email, usually in infected executable email file attachments.

Removal

Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Eliminating a Local Network Outbreak

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

%Windows%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (email)

The worm collects email addresses from files with following extensions:

.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF

And from the files with the following string in name:

CONTENT
TEMPORARY

The worm sends itself as attachment in the infected email. The email subject is one the following:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
F* Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

The message body may be one of the following:

Note: forwarded message attached.
Hot XXX Yahoo Groups
F* Kama Sutra pics
ready to be F*CKED ;)
Note: forwarded message attached.
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
i attached the details. Thank you.
>> forwarded message
----- forwarded message -----
i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

007.pif
School.pif
04.pif
photo.pif
DSC-00465.Pif
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu

The filename inside MIME-encoding is one of the following:

Attachments[001].B64 [spaces] .sCR
3.92315089702606E02.UUE [spaces] .sCR
SeX,zip [spaces] .sCR
WinZip.zip [spaces] .sCR
ATT01.zip [spaces] .sCR
WinZip.zip [spaces] .sCR
Word.zip [spaces] .sCR
Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

Description Created: 2006-01-18 11:22:22.0

Description Last Modified: 2010-07-28 05:43:34.0