Email-Worm:W32/VB.BI

GO TO: Summary | Removal | Technical Details

Classification

Category:

Malware

Type:

Email-Worm

Platform:

W32

Aliases:

WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.Nyxem.e, W32.Blackmal.E@mm, Blackmail

Summary

A worm that spreads via email, usually in infected executable email file attachments.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Eliminating a Local Network Outbreak

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

%Windows%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (email)

The worm collects email addresses from files with following extensions:

.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF

And from the files with the following string in name:

CONTENT
TEMPORARY

The worm sends itself as attachment in the infected email. The email subject is one the following:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
F* Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

The message body may be one of the following:

Note: forwarded message attached.
Hot XXX Yahoo Groups
F* Kama Sutra pics
ready to be F*CKED ;)
Note: forwarded message attached.
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
i attached the details. Thank you.
>> forwarded message
----- forwarded message -----
i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

007.pif
School.pif
04.pif
photo.pif
DSC-00465.Pif
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu

The filename inside MIME-encoding is one of the following:

Attachments[001].B64 [spaces] .sCR
3.92315089702606E02.UUE [spaces] .sCR
SeX,zip [spaces] .sCR
WinZip.zip [spaces] .sCR
ATT01.zip [spaces] .sCR
WinZip.zip [spaces] .sCR
Word.zip [spaces] .sCR
Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

Date Created: 2006-01-18 11:22:22.0

Date Last Modified: 2010-07-28 05:43:34.0