Home / malware Win32.Worm.VB.NXY
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.VB.NXY is also known as Worm:Win32/VB.HA, (OneCare.
Explanation :
Upon execution the worm copies itself to %windir%userinit.exe. In order to be active at the system startup it modifies the following registry key to point to the copies location:
HKLMSOFTWAREMicrosoftWindows NTCurrent VersionWinlogonUserinit
A second copy will be created as %windir%System32system.exe. When running, the two tasks will protect each other from being terminated.
An updated version is downloaded form following domains:
t35.com, titanichost.com, 110mb.com
The file will be saved as %windir%system32 ask.exe. When executed, it will replace the above copies with the update. This file is also detected as Win32.Worm.VB.NXY
In order to deny the access to certain security tools it will make changes to C:WindowsSystem32driversetchost and deny access to these websites:
download.f-secure.com
mirror02.gdata.de
download.avg.com
spftrl.digitalriver.com
www.grisoft.cz
download1us.softpedia.com
download.softpedia.com
www.bitdefender.co.uk
www.bitdefender.com
virusscan.jotti.org
bkav.com.vn
www.bkav.com.vn
download.com.vn
www.download.com.vn
9down.com
www.9down.com
download.eset.com
www.download.com
Another file is dropped under %windir%kdcoms.dll. It is actually a text file containing the following message:
"Don't worry! I will protect your computer". After the update is downloaded, the content of the file changes to the current date.
The worm spreads through USB removable storage devices by creating a copy of itself in the root folder of the drive under the name forever.exe. An autorun.inf file is also created to point to this location.Last update 21 November 2011
