A worm that spreads via e-mail, usually in infected executable e-mail file attachments.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
If the infection is in a local network, please follow the instructions on this webpage:
Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.
Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:
where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:
The worm collects e-mail addresses from files with following extensions:
And from the files with the following string in name:
The worm sends itself as attachment in the infected e-mail. The e-mail subject is one the following:
The message body may be one of the following:
The worm can attach itself as executable file. It uses one the following names in attachment:
Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:
The filename inside MIME-encoding is one of the following:
The worm searches for remote shared folders and tries to copy itself using one of the following filenames:
Description Created: 2006-01-18 11:22:22.0
Description Last Modified: 2010-07-28 05:43:34.0