Home / malware Win32.Worm.VB.NWW
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.VB.NWW.
Explanation :
In order to trick the user, the infected files have the icon of a folder, but they are executables. When is launched the worm drops three files:
Windowsuserinit.exe (hidden)
WindowsSystem32system.exe (hidden)
Windowskdcom.dll
The first two are copies of launcher and the DLL is a simple text file that contains printable characters such as current day or a message ("Don't kill me...please");
A field, userinit, of the registry key [HKLMSoftwareMicrosoftWindowsWindowsNTCurrentVersionWinlogon] is modified from it's value %Root_Drive%WindowsSystem32userinit.exe to %Root_Drive%Windowuserinit.exe, so that the worm will be active after system reboot.
After the copies of the worm are launched the initial process will be closed and the following actions will take place.
A login to scs.msg.yahoo.com server is tried, YM! being a way to spread itself.
It tries to download a file, which is the same worm repacked, from URLs like:
http://www.freewebs.com/[removed]/rock.mid
http://user5.titanichost.com/[removed]/rock.mid
http://sonqh.110mb.com/[removed]/rock.mid
the file will be saved in WindowsSystem32Task.exe, and launched. This will replace the old two copies and associated processes with it's own copies and delete itself.
System.exe process opens an UDP listening port(106x).
The worm monitors removable storage devices and create on this a copy secret.exe and autorun.inf in order to infect other machines on which AutoRun service is not disabled
Modifies System32driversetchosts redirecting URLs to 127.0.0.1, loop-back address.Last update 21 November 2011
