Home / malwarePDF  

Email-Worm:W32/VB.FW


First posted on 25 June 2008.
Source: SecurityHome

Aliases :

There are no other names known for Email-Worm:W32/VB.FW.

Explanation :

Email-Worm:W32/VB.FW is a type of worm that uses e-mail as its spreading vector.

right]This mass mailing worm attempts to send copies of itself to e-mail addresses harvested from the infected system.

Upon execution it creates copies of itself to the following locations:

  • %startup%adodb.cmd
  • %system%\%number%.exe
  • %system%\%number%\%number%.cmd
  • %system%moonlight.scr
  • %userprofile%Templates\%number%\%number%.exe
  • %userprofile%Templates\%number%service.exe
  • %userprofile%Templates\%number%winlogon.exe
  • %windows%\%number%.exe
  • %windows%\%number%.exe
  • %windows%\%number%\%number%.com
  • %windows%\%number%smss.exe
  • %windows%\%number%system.exe
  • %windows%lsass.exe

The following clean files are also dropped on the system:

  • %system%crtsys.dll
  • %windows%MoonLight.tx
  • %windows%systemmsvbvm60.dll

To ensure its automatic execution on system startup, and to hinder removal attempts, the malware adds and modifies the following registry entries:

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
    DisableRegistryTools=dword:00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
    %number%="%system%\%number%.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
    %number%="%WINDOWS%\%number%.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsmsconfig.exe
    debugger="%windows%
    otepad.exe"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options
    egedit.exe
    debugger="%windows%
    otepad.exe"
  • HKEY_CLASSES_ROOTexefile
    default="File Folder"
  • HKEY_CLASSES_ROOTscrfile
    default="File Folder"
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
    Hidden=dword:00000000
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
    HideFileExt=dword:00000001
  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerCabinetState
    FullPath=dword:00000001
  • HKEY_LOCAL_MACHINESOFTWAREClassesexefile
    default="File Folder"
  • HKEY_LOCAL_MACHINESOFTWAREClassesscrfile
    default="File Folder"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedFolderSuperHidden
    UncheckedValue=dword:00000000
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerUser Shell Folders
    Common Startup = "%system%\%number%"
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
    Shell="explorer.exe, "%userprofile%Templates\%number%\%number%.exe""
  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
    AlternateShell="%number%.exe"

The worm then deletes registry keys with following strings:

  • ADie suka kamu
  • AllMyBallance
  • Alumni Smansa
  • AutoSupervisor
  • BabelPath
  • Bron-Spizaetus
  • Bron-Spizaetus-cfirltrx
  • Bron-Spizaetus-cgglmmrv
  • CueX44_stil_here
  • dago
  • dkernel
  • DllHost
  • Driver
  • drv_st_key
  • lexplorer
  • MomentEverComes
  • MSMSG
  • norman zanda
  • norman_zanda
  • Pluto
  • Putri_Bangka
  • Putri_Indonesia
  • SaTRio ADie X
  • service
  • SMA_nya_Artika
  • SMAN1_Pangkalpinang
  • SysDiaz
  • SysRia
  • SysYuni
  • Task
  • templog
  • Tok-Cirrhatus
  • Tok-Cirrhatus-1101
  • TryingToSpeak
  • ViriSetup
  • Winamp
  • winfix
  • WinUpdateSupervisor
  • Word
  • YourUnintended
  • YourUnintendes

It deletes the files matching the following:

  • ShellNew*.exe
  • CintaButa*
  • eksplorasi*
  • FirstLove.exe*
  • KesenjanganSosial.exe
  • MyHeart.exe
  • Romantic*

P2P Propagation

While Traversing directories, the malware monitors if the folder contains any of the following strings:

  • download
  • upload
  • share

It then copies itself to these directories using the following file names:

  • BlueFilm.exe
  • Data %username%.exe
  • Foto %username%.exe
  • Gudang Lagu.exe
  • JanganDibuka.exe
  • New Folder(2).exe
  • New Folder.exe
  • Porn %username%.exe
  • Program TA.scr
  • Wallpeper.scr

It copies itself to all folders as:

  • \%foldername%\%foldername%.exe

E-mail Propagation

The malware arrives as an attachment to e-mail message.

The subject line uses one of the following strings:

  • Agnes Monica pic's
  • Cek This
  • Fucking With Me :D
  • hello
  • hey Indonesian porn
  • Hot ...
  • Japannes Porn
  • miss Indonesian
  • Tolong
  • Tolong Aku..

The from field uses one of the following:

  • admin
  • Agnes
  • Ami
  • Anata
  • astaga
  • boleh
  • Cicilia
  • Claudia
  • CoolMan
  • Davis
  • Emily
  • Fransisca
  • Fransiska
  • Fria
  • gaul
  • HellSpawn
  • Hilda
  • Ida
  • indo
  • Joe
  • Julia
  • JuwitaNingrum
  • Lanelitta
  • Lia
  • Linda
  • Nadine
  • Nana
  • Natalia
  • PLASA
  • Riri
  • Rita
  • sasuke
  • SaZZA
  • sisilia
  • Susi
  • telkom
  • Titta
  • untukmu2
  • Valentina
  • Vivi
  • warung

The body of the message contains one of the following strings:

  • aku mahasiswa BSI Margonda smt 4
  • Aku Mencari Wanita yang aku Cintai
  • dan cara menggunakan email mass
  • di lampiran ini terdapat curriculum vittae dan foto saya
  • foto dan data Wanita tsb Thank's
  • ini adalah cara terakhirku ,di lampiran ini terdapat
  • NB:Mohon di teruskan kesahabat anda
  • oh ya aku tahu anda dr milis ilmu komputer
  • please read again what i have written to you
  • yah aku sedang membutuhkan pekerjaan

The attachment is named one of the following:

  • Doc.gz
  • file.bz2
  • hell.zip
  • Miyabi.zip
  • nadine.ace
  • need you.jar
  • thisfile.gz
  • video.bz2

The mailing component harvests addresses from the local system by enumerating files from drives C to Z with the following file extensions:

  • ASP
  • EML
  • HTML
  • JS
  • PHP
  • PL
  • RTF
  • SPX
  • TML
  • TXT

The malware avoids certain addresses; those using the any of the following strings:

  • avira
  • mcafee
  • microsoft
  • MoonMail
  • nipsvc
  • norman
  • Norman NJeeves
  • Norman Zanda
  • norton
  • novell
  • nvcoas
  • panda
  • security
  • sophos
  • suport
  • Syman
  • Trend
  • vaksin
  • virus
  • virus
  • www.
  • yourdomain
  • yoursite

The malware then sends itself via SMTP. Using its own SMTP engine, the worm guesses the recipient e-mail server, prepending the target domain name with the following strings:

  • gate.
  • mail.
  • mail1.
  • mx.
  • mx1.
  • mxs.
  • ns1.
  • relay.
  • smtp.

Payload

The malware drops a payload file that contains the following text:

  • :: I-Worm.MoonLight.J ::
    Indonesian VM Society
    Created By HellsPawn a.K.a B4bb1Cool
    Can't You Handle It
    Don't Panic , all of data are safe

Denial of Service

It attempts to perform a Denial of Service attack on the following sites by sending requests every 200ms:

  • www.bp.com
  • www.bsi.ac.id
  • www.vaksin.com

Keylogger

The malware has a built-in keylogging feature that uploads logged keystrokes to a remote site.

Backdoor

With a simple backdoor function, the malware enables remote attackers to list files and directories, and to create and execute files in the compromised system.


Process Termination

In an attempt to prevent removal, the malware terminates process with application windows with the following in the title:

  • bront
  • cmd
  • command
  • currprocess
  • dengines
  • filewalker
  • OfficeSystem
  • Process Explorer
  • Process mon
  • regedit
  • Restore
  • Romantic
  • security task manager
  • sensasi

Last update 25 June 2008

 

TOP

Malware :

Family: