Threat Descriptions

Email-Worm:W32/VB.BI

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.Nyxem.e, W32.Blackmal.E@mm, Blackmail

Summary

A worm that spreads via email, usually in infected executable email file attachments.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/VB.BI is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related software.The worm attempts to disable several security-related programs.

Installation

Email-Worm.Win32.VB.bi is written in Visual Basic and compiled as p-code. The size of the main executable is about 95 kilobytes. When executed, it first copies itself to several locations:

  • %Windows%\rundll16.exe
  • %System%\scanregw.exe
  • %System%\Update.exe
  • %System%\Winzip.exe

where '%Windows%' presents the system Windows folder. In Windows XP systems, it is usually C:\WINDOWS. '%System%' is the system32 folder. The worm installs the following registry key for ensuring it will be started on system startup:

  • [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe"

Propagation (email)

The worm collects email addresses from files with following extensions:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF

And from the files with the following string in name:

  • CONTENT
  • TEMPORARY

The worm sends itself as attachment in the infected email. The email subject is one the following:

  • The Best Videoclip Ever
  • School girl fantasies gone bad
  • A Great Video
  • F* Kama Sutra pics
  • Arab sex DSC-00465.jpg
  • give me a kiss
  • *Hot Movie*
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Re:
  • Fw:
  • Part 1 of 6 Video clipe
  • You Must View This Videoclip!
  • Miss Lebanon 2006
  • Re: Sex Video
  • My photos

The message body may be one of the following:

  • Note: forwarded message attached.
  • Hot XXX Yahoo Groups
  • F* Kama Sutra pics
  • ready to be F*CKED ;)
  • Note: forwarded message attached.
  • forwarded message attached.
  • VIDEOS! FREE! (US$ 0,00)
  • i attached the details. Thank you.
  • >> forwarded message
  • ----- forwarded message -----
  • i just any one see my photos. It's Free :)

The worm can attach itself as executable file. It uses one the following names in attachment:

  • 007.pif
  • School.pif
  • 04.pif
  • photo.pif
  • DSC-00465.Pif
  • image04.pif
  • 677.pif
  • New_Document_file.pif
  • eBook.PIF
  • document.pif
  • DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be one of the following:

  • Attachments[001].B64
  • 3.92315089702606E02.UUE
  • SeX.mim
  • Original Message.B64
  • WinZip.BHX
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu

The filename inside MIME-encoding is one of the following:

  • Attachments[001].B64 [spaces] .sCR
  • 3.92315089702606E02.UUE [spaces] .sCR
  • SeX,zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • ATT01.zip [spaces] .sCR
  • WinZip.zip [spaces] .sCR
  • Word.zip [spaces] .sCR
  • Word XP.zip [spaces] .sCR

Propagation (Shared Folders)

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

  • \Admin$\WINZIP_TMP.exe
  • \c$\WINZIP_TMP.exe
  • \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe