sobota 25. února 2012

Worm:Win32/VB.HA


Encyclopedia entry
Updated: Apr 17, 2011  |  Published: Jul 27, 2009

Aliases
  • Win32/Xema.worm.82944.U (AhnLab)
  • Worm.Win32.VB.aom (Kaspersky)
  • W32/Autorun-AIV (Sophos)
  • Win32/AutoRun.VB.CN (ESET)
  • W32/Autorun.worm!n (McAfee)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.121.398.0
Released: Feb 25, 2012
Detection initially created:
Definition: 1.45.335.0
Released: Oct 08, 2008


 

Summary

Worm:Win32/VB.HA is a worm that spreads by copying itself to removable drives. It also modifies the affected computer's hosts file and may download and execute arbitrary files.


 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    %windir%\userinit.exe <system folder>\system.exe
    %windir%\kdcom.dll
  • The presence of the following registry modifications:
    To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Adds value: "Userinit"With data: "%windir%\userinit.exe"
  • The display of the following message (or similar):
    "Don't worry! I will protect your computer."


 

Technical Information (Analysis)

Worm:Win32/VB.HA is a worm that spreads by copying itself to removable drives. It also modifies the affected computer's hosts file and may download and execute arbitrary files.
Installation
When executed, Worm:Win32/VB.HA copies itself to %windir%\userinit.exe and <system folder>\system.exe. These files have the hidden attribute set and use the folder icon.
The worm then modifies the following registry entry in order to ensure that one of these copies is executed at each Windows start:
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Userinit"With data: "%windir%\userinit.exe"
 
Worm:Win32/VB.HA also drops the file %windir%\kdcom.dll. This is a text file that may contain various messages, for example:
"Don't worry! I will protect your computer."
Spreads via…
Removable drives
Worm:Win32/VB.HA copies itself as forever.exe to the root of all accessible drives. Worm:Win32/VB.HA then writes an autorun configuration file named 'autorun.inf' pointing to forever.exe. When the removable or networked drive is accessed from another machine supporting the Autorun feature, the malware is launched automatically.
 
Yahoo Messenger
Worm:Win32/VB.HA may try to contact 'login.yahoo.com' in order to use Yahoo Messenger to spread itself. 
Payload
Modifies hosts file
Worm:Win32/VB.HA  modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a web site URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected machine's hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example). 
 
Worm:Win32/VB.HA redirects the following hosts to localhost (127.0.0.1):
9down.com
bkav.com.vn
cmcinfosec.com
download.avg.com
download.com.vn
download.eset.com
download.f-secure.com
download.softpedia.com
download1us.softpedia.com
mirror02.gdata.de
spftrl.digitalriver.com
virusscan.jotti.org
www.9down.com
www.bitdefender.co.uk
www.bitdefender.com
www.bitdefender.com.vn
www.bkav.com.vn
www.download.com
www.download.com.vn
www.grisoft.cz
www.kaspersky.com
www.symantec.com
 
Downloads and executes arbitrary files
Worm:Win32/VB.HA may attempt to contact particular websites in order to download additional components or updates. In the wild, Worm:Win32/VB.HAhas been observed contacting the following hosts for this purpose:
  • sonqh.110mb.com
  • hiepdam.t35.com
 
Analysis by Andrei Florin Saygo

Žádné komentáře:

Okomentovat

Poznámka: Komentáře mohou přidávat pouze členové tohoto blogu.