Home / malware

PDF

Win32.Worm.VB.DW

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.VB.DW is also known as P2P-Worm.VB.dw, Win32/Alcan.5tn!Worm.

Explanation :

This malware is a worm which spreads itself using peer-to-peer networks through the shares of the popular P2P sharing programs: Morpheus, Limewire, BearShare, Shareaza.

The first time when it is run, the worm:
copies itself in %ProgramFiles%outlookoutlook.exe creates a registry key to ensure that it will run after reboot: HKLMSoftwareMicrosoftWindowsCurrentVersionRunoutlook = "%ProgramFiles%outlookoutlook.exe /auto" displays a fake error message:
executes the its copy from %ProgramFiles%outlookoutlook.exeThis new instance of the worm will perform the following actions:
drops a backdoor in c:onoes.exe, size 175104 bytes, detected by BitDefender as Backdoor.Rbot.CMN; executes c:onoes.exe;
drops a DLL in %system32%szip.dll, a library used in creating ZIP files; creates copy of the worm in %ProgramFiles%outlookv.tmp, size 210432 bytes; creates an zip arhive in %ProgramFiles%outlookp.zip, size 202477 bytes, archive containing the worm named Setup.exe; connects to websites such as www.mininova.org, www.torrentz.com to obtain names of applications and games; using these names, the worm will create copy of the archive it created in the download folder of the P2P applications mentioned. eg: c:downloadsHeroes3.zip; starts the P2P application by executing the files limewire.exe, morpheus.exe, bearshare.exe, shareaza.exe.In order to hides its presence, the worm creates the following files in %system32% having size zero: cmd.com, netstat.com, ping.com, regedit.com, taskkill.com, tasklist.com, tracert.com. The effect is that the standard applications cmd.exe, netstat.exe, ping.exe, regedit.exe, taskkill.exe, tasklist.exe, tracert.exe will not be executed.

Last update 21 November 2011

 

TOP