Email-Worm:W32/VB.FW

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

Virus.Win32.vb.ky

Summary

Email-Worm:W32/VB.FW is a type of worm that uses email as its spreading vector.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

Check for the latest database updates

First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample

After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning

If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

Note: You need administrative rights to change the settings.

Technical Details

This mass mailing worm attempts to send copies of itself to email addresses harvested from the infected system. Upon execution it creates copies of itself to the following locations:

%startup%\adodb.cmd
%system%\%number%.exe
%system%\%number%\%number%.cmd
%system%\moonlight.scr
%userprofile%\Templates\%number%\%number%.exe
%userprofile%\Templates\%number%\service.exe
%userprofile%\Templates\%number%\winlogon.exe
%windows%\%number%.exe
%windows%\%number%.exe
%windows%\%number%\%number%.com
%windows%\%number%\smss.exe
%windows%\%number%\system.exe
%windows%\lsass.exe

The following clean files are also dropped on the system:

%system%\crtsys.dll
%windows%\MoonLight.tx
%windows%\system\msvbvm60.dll

To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System DisableRegistryTools=dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %number%="%system%\%number%.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run %number%="%WINDOWS%\%number%.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\msconfig.exe debugger="%windows%\notepad.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion \Image File Execution Options\regedit.exe debugger="%windows%\notepad.exe"
HKEY_CLASSES_ROOT\exefile default="File Folder"
HKEY_CLASSES_ROOT\scrfile default="File Folder"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden=dword:00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HideFileExt=dword:00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState FullPath=dword:00000001
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile default="File Folder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile default="File Folder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden UncheckedValue=dword:00000000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Common Startup = "%system%\%number%"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell="explorer.exe, "%userprofile%\Templates\%number%\%number%.exe""
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot AlternateShell="%number%.exe"

The worm then deletes registry keys with following strings:

ADie suka kamu
AllMyBallance
Alumni Smansa
AutoSupervisor
BabelPath
Bron-Spizaetus
Bron-Spizaetus-cfirltrx
Bron-Spizaetus-cgglmmrv
CueX44_stil_here
dago
dkernel
DllHost
Driver
drv_st_key
lexplorer
MomentEverComes
MSMSG
norman zanda
norman_zanda
Pluto
Putri_Bangka
Putri_Indonesia
SaTRio ADie X
service
SMA_nya_Artika
SMAN1_Pangkalpinang
SysDiaz
SysRia
SysYuni
Task
templog
Tok-Cirrhatus
Tok-Cirrhatus-1101
TryingToSpeak
ViriSetup
Winamp
winfix
WinUpdateSupervisor
Word
YourUnintended
YourUnintendes

It deletes the files matching the following:

\ShellNew\*.exe
CintaButa*
eksplorasi*
FirstLove.exe*
KesenjanganSosial.exe
MyHeart.exe
Romantic*

P2P Propagation

While Traversing directories, the malware monitors if the folder contains any of the following strings:

download
upload
share

It then copies itself to these directories using the following file names:

BlueFilm.exe
Data %username%.exe
Foto %username%.exe
Gudang Lagu.exe
JanganDibuka.exe
New Folder(2).exe
New Folder.exe
Porn %username%.exe
Program TA.scr
Wallpeper.scr

It copies itself to all folders as:

\%foldername%\%foldername%.exe

email Propagation

The malware arrives as an attachment to email message. The subject line uses one of the following strings:

Agnes Monica pic's
Cek This
Fucking With Me :D
hello
hey Indonesian porn
Hot ...
Japannes Porn
miss Indonesian
Tolong
Tolong Aku..

The from field uses one of the following:

admin
Agnes
Ami
Anata
astaga
boleh
Cicilia
Claudia
CoolMan
Davis
Emily
Fransisca
Fransiska
Fria
gaul
HellSpawn
Hilda
Ida
indo
Joe
Julia
JuwitaNingrum
Lanelitta
Lia
Linda
Nadine
Nana
Natalia
PLASA
Riri
Rita
sasuke
SaZZA
sisilia
Susi
telkom
Titta
untukmu2
Valentina
Vivi
warung

The body of the message contains one of the following strings:

aku mahasiswa BSI Margonda smt 4
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
di lampiran ini terdapat curriculum vittae dan foto saya
foto dan data Wanita tsb Thank's
ini adalah cara terakhirku ,di lampiran ini terdapat
NB:Mohon di teruskan kesahabat anda
oh ya aku tahu anda dr milis ilmu komputer
please read again what i have written to you
yah aku sedang membutuhkan pekerjaan

The attachment is named one of the following:

Doc.gz
file.bz2
hell.zip
Miyabi.zip
nadine.ace
need you.jar
thisfile.gz
video.bz2

The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:

ASP
EML
HTML
JS
PHP
PL
RTF
SPX
TML
TXT

The malware avoids certain addresses; those using the any of the following strings:

avira
mcafee
microsoft
MoonMail
nipsvc
norman
Norman NJeeves
Norman Zanda
norton
novell
nvcoas
panda
security
sophos
suport
Syman
Trend
vaksin
virus
virus
www.
yourdomain
yoursite

The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient email server, prepending the target domain name with the following strings:

gate.
mail.
mail1.
mx.
mx1.
mxs.
ns1.
relay.
smtp.

Payload

The malware drops a payload file that contains the following text:

:: I-Worm.MoonLight.J :: Indonesian VM Society Created By HellsPawn a.K.a B4bb1Cool Can't You Handle It Don't Panic , all of data are safe

Denial of Service

It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:

www.bp.com
www.bsi.ac.id
www.vaksin.com

Keylogger

The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.

Backdoor

With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.

Process Termination

In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:

bront
cmd
command
currprocess
dengines
filewalker
OfficeSystem
Process Explorer
Process mon
regedit
Restore
Romantic
security task manager
sensasi

More Support

Community

Ask questions in our Community .

User Guides

Check the user guide for instructions.

Contact Support

Chat with or call an expert.

Submit a Sample

Submit a file or URL for analysis.