English
Romana
Home
|
Contact
|
Feedback
SEARCH
Security Development
Company
Careers
Press Center
Virus Info
Security News
Virus Glossary
About Malware
VDF History
External Links
Solutions
Products
Alerts Panel
Support
Register
Worm/VB.BV.4 - Worm
See also
Summary
Full description
Virus:
Worm/VB.BV.4
Date discovered:
12/03/2008
Type:
Worm
In the wild:
Yes
Reported Infections:
Low to medium
Distribution Potential:
Low to medium
Damage Potential:
Medium
Static file:
Yes
File size:
93.612 Bytes
MD5 checksum:
0Bdddbd11165827f0C0A86b578ce5bef
VDF version:
6.38.00.39
IVDF version:
6.38.00.40
General
Method of propagation:
• Mapped network drives
Aliases:
• Mcafee: W32/USBCasv
• Kaspersky: Worm.Win32.VB.fp
• F-Secure: Worm.Win32.VB.fp
• Eset: Win32/VB.FP
• Bitdefender: Worm.Win32.VB.BV
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Drops files
• Uses its own Email engine
• Registry modification
• Steals information
Files
It copies itself to the following locations:
•
%TEMPDIR%
\s.exe
•
%SYSDIR%
\odbcasvc.exe
•
%SYSDIR%
\Recycled\INFO.EXE
•
%drive%
:\Recycled\INFO.EXE
Archiving:
It creates archives and stores files in them.
The following directory is searched:
•
%WINDIR%
\Microsoft.NET\Debug\Temp\
The following file type is payed attention to:
• .log
The archives filename is the following:
•
%current date%
_
%current time%
.uda
It copies the following files:
•
%all directories%
\*.doc into
%WINDIR%
\Microsoft.NET\Debug\Temp\
%random character string%
.log
•
%all directories%
\*.xls into
%WINDIR%
\Microsoft.NET\Debug\Temp\
%random character string%
.log
•
%all directories%
\*ppt into
%WINDIR%
\Microsoft.NET\Debug\Temp\
%random character string%
.log
The following files are created:
– Non malicious files:
•
%SYSDIR%
\Recycled\desktop.ini
•
%drive%
:\Recycled\desktop.ini
–
%SYSDIR%
\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%
–
%drive%
:\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware%
–
%WINDIR%
\uda.exe
Registry
The following registry keys are added in order to load the service after reboot:
– [HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc]
• Type = 10
• Start = 2
• ErrorControl = 1
• ImagePath =
%SYSDIR%
\odbcasvc.EXE
• DisplayName = ODBC Administration Service
• ObjectName = LocalSystem
• Description = Microsoft Data Access - ODBC Administration Service
Email
It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:
Email design:
From:
esmtp01@tom.com
To:
esmtp01@tom.com
Subject:
Spider
%number%
[
%computer name%
\
%current username%
]
Attachment:
• current date%_
%current time%
.uda
The attachment is a copy of the created file:
%WINDIR%
\Microsoft.NET\Debug\Temp\
%current date%
_
%current time%
.uda
File details
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
See a brief description
here
.
Inserted by Irina Diaconescu on Wed, 30 Jul 2008 11:04 (GMT+1)
Updated by Andrei Gherman on Thu, 31 Jul 2008 11:41 (GMT+1)
« Back
Print this page
Latest News
Avira survey shows 1 in 3 people think all websites pose security threat
Avira warns of Windows vulnerability
HEUR/HTML.Malware
TR/Crypt.XPACK.Gen3
TR/Crypt.XPACK.Gen2
W32/Sality.Y
Java/Agent.M.1
TR/Renos.E
Worm/Palevo.aemi
Worm/Palevo.akyt
Worm/Palevo.zed
TR/Kryptik.FU
Download here
© 2010 Avira Soft SRL
Privacy
|
Site terms
|
Copyright
|
Site map
Print this page
