Saturday, June 6, 2009
A few days ago I have discover a virus that spread using common known media, USB Flash disk. This virus seem to be the same as other malware and it was compressed with PECompact utilities. The worm itself has been written using Microsoft Visual Basic 6.0. This worm is commonly known as W32/Autorun.worm!n (McAfee), TR/Crypt.PEPM.Gen (Avira), Win32.Worm.VB.NXY (BitDefender).
File Name: various
Size: 82,944 Bytes
Static File: Yes
MD5 Checksum: 22b52c23e6dd2809733e011a8eedab03
File Name / Process File Name
This virus commonly use several file name to spoof it self as a folder. Here it is some sort of file name has been use by this malware:
3. System Volume Information.exe
There is 2 common process file name used by this worm:
Startup / Registry Alteration
The worm altering Windows registry as a startup point everytime Windows load.
Other modified registry key is:
The worm seem to overwrite a %systemroot%\system32\drivers\etc\hosts file and set every unwanted domain name to pointing to localhost (127.0.0.1) IP. Most of the listing are computer security website including antivirus, firewall and download site.
The worm also contain some DDoS attack code which will send a random packet to the target.
This virus has been created by people who was new to the programming especially Visual Basic 6. Take a look some of their codes, it uses many timer to use their malicious function thus, making this worm unstable and taking alot of CPU usages.
Here it is some extracted string from the compiled Executable file.
Analysis from Virus Total
VDEF updates for Portable Antivirus is available to download.