Home / malware Win32.Vb.AN@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Vb.AN@mm is also known as Worm/Alcra.B,Worm:Win32/Alcan.B,Win32/Alcan.C!Worm,W32.Alcra.
Explanation :
This worm usually arrives as a zip file containing inside it a file named setup.exe. When setup.exe is executed for the first time, it will display a dialog looking like a standard Setup Dialog with the following text :
"Welcome to the Setup Wizard
It is recommended that you close all other applications before continuing.
Click Next to continue, or Cancel to exit Setup".
When the user clicks on the Next button, an error MessageBox is displayed with the following text :
"Version has expired please download software update"
and the setup dialog is closed.
In the background, setup.exe will create the folder
%ProgramFiles%winupdates
with attributes set to hidden and drop two files in that folder, a.tmp and winupdates.exe wich are copies of the worm. Next, setup.exe will create the following registry key :
HKLMSoftwareMicrosoftWindowsCurrentVersionRunwinupdates
with the value" %ProgamFiles%winupdateswinupdates.exe /auto", enabling itself to survive reboot.
It will launch next winupdates.exe and close.
When winupdates.exe starts, it will :
drop the files netstat.com, ping.com, cmd.com, regedit.com, taskkill.com, tasklist.com, tracert.com all with size of 2 bytes in the %SystemRoot%SYSTEM32 folder. By doing this, the worm disables execution of the real applications (netstat.exe,ping.exe,cmd.exe,regedit.exe,taskkill.exe, tasklist.exe and tracert.exe), because the .com extension has priority over the .exe, and when the user will launch an application with only the name and not the extension (such as netstat instead of netstat.exe), the .com file will get executed.
replace the file taskmgr.exe with a trojanized version of 87,824 bytes in size.
drop the legitimate file bszip.dll in the %SystemRoot%SYSTEM32 folder, wich it will use later to create archived copies of itself.
attempt to connect to the following pages : http://qualityddl.com[...removed...]
http://justddl.com[...removed...] http://satanwarez.com[...removed...] http://warezbox.com[...removed...] http://powerddl.com[...removed...] http://fullddl.net[...removed..] http://www.ddlspot.com/ddl.php[..removed...] http://gotddl.com[..removed...] http://ddldirect.com/ddl.php[...removed...] http://phazeddl.com[..removed...] http://katz.ws[..removed..] http://x-ddl.com[...removed..] will scan all the pages above for strings and use those strings to generate filenames. The worm will copy itself, in an archived form using the library bzip, with the filenames generated above to the folders of various sharing file applications, including Ares, eMule, Kazaa, Limewire.
will try to download and execute a file from the following locations :
http://members.chello.nl/[...removed...] http://members.chello.be/[..removed...]Last update 21 November 2011
