Email-Worm:W32/VB.BI

Summary

A worm that spreads via e-mail, usually in infected executable e-mail file attachments.

Technical Details

Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

• %Windows%\rundll16.exe
• %System%\scanregw.exe
• %System%\Update.exe
• %System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

• [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (E-mail)

The worm collects e-mail addresses from files with following extensions:

• .HTM
• .DBX
• .EML
• .MSG
• .OFT
• .NWS
• .VCF
• .MBX
• .IMH
• .TXT
• .MSF

And from the files with the following string in name:

• CONTENT
• TEMPORARY

The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:

• The Best Videoclip Ever
• School girl fantasies gone bad
• A Great Video
• F* Kama Sutra pics
• Arab sex DSC-00465.jpg
• give me a kiss
• *Hot Movie*
• Fw: Funny :)
• Fwd: Photo
• Fwd: image.jpg
• Fw: Sexy
• Re:
• Fw:
• Part 1 of 6 Video clipe
• You Must View This Videoclip!
• Miss Lebanon 2006
• Re: Sex Video
• My photos

The message body may be one of the following:

• Note: forwarded message attached.
• Hot XXX Yahoo Groups
• F* Kama Sutra pics
• ready to be F*CKED ;)
• Note: forwarded message attached.
• forwarded message attached.
• VIDEOS! FREE! (US$ 0,00)
• i attached the details. Thank you.
• >> forwarded message
• ----- forwarded message -----
• i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

• 007.pif
• School.pif
• 04.pif
• photo.pif
• DSC-00465.Pif
• image04.pif
• 677.pif
• New_Document_file.pif
• eBook.PIF
• document.pif
• DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

• Attachments[001].B64
• 3.92315089702606E02.UUE
• SeX.mim
• Original Message.B64
• WinZip.BHX
• eBook.Uu
• Word_Document.hqx
• Word_Document.uu

The filename inside MIME-encoding is one of the following:

• Attachments[001].B64 [spaces] .sCR
• 3.92315089702606E02.UUE [spaces] .sCR
• SeX,zip [spaces] .sCR
• WinZip.zip [spaces] .sCR
• ATT01.zip [spaces] .sCR
• WinZip.zip [spaces] .sCR
• Word.zip [spaces] .sCR
• Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

• \Admin$\WINZIP_TMP.exe
• \c$\WINZIP_TMP.exe
• \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe