WORM_VBNA.KM

This worm arrives by connecting affected removable drives to a system. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It drops copies of itself into all the removable drives connected to an affected system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system. It connects to a website to send and receive information. However, as of this writing, the said sites are inaccessible.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %User Profile%\Application Data\hidserv.exe

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update System = "%User Profile%\Application Data\hidserv.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update System = "%User Profile%\Application Data\hidserv.exe"

Other System Modifications

This worm creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Windows Update System = "%User Profile%\Application Data\hidserv.exe"

Propagation

This worm drops copies of itself into all the removable drives connected to an affected system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

[AutoRun]
open={random}\{random}.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open\command={random}\{random}.exe
shell\open\default=1

It sends the following messages via instant-messaging (IM) applications:

Have you seen this? lol! {URL}
olhar para esta lol! {URL}
spojrzec na lol! {URL}
vejte se na mou lol! {URL}
guardare quest lol! {URL}
You know someone tried to kill obama today!? {URL}
bekijk deze lol! {URL}
mira esta lol! {URL}
schau mal das lol! {URL}
regardez cette lol! {URL}

It sends messages that contain links to sites hosting remote copies of itself using the following instant-messaging (IM) applications:

• Windows Live Messenger

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Download files
• Perform speed tests by accessing http://speedtestfile.com/10mb.bin
• Perform UDP flooding using specified ports
• Remove itself from the affected system
• Terminate processes
• Update itself

It connects to the following websites to send and receive information:

• breakerowns.{BLOCKED}o.org

However, as of this writing, the said sites are inaccessible.

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• aawservice.exe
• AckWin32.exe
• ADVXDWIN.exe
• AGENTSVR.exe
• agentw.exe
• ALERTSVC.exe
• aluschedulersvc.exe
• ANTIVIRUS.exe
• ANTS.exe
• appsvc32.exe
• ashwebsv.exe
• aswupdsv.exe
• ATCON.exe
• ATGUARD.exe
• ATRO55EN.exe
• AvastSvc.exe
• AvastUI.exe
• avgcc.exe
• avgfree.exe
• AVGIDSMonitor.exe
• avgnt.exe
• avgtray.exe
• avgupsvc.exe
• avp.exe
• ccApp.exe
• ccsvchst.exe
• egui.exe
• ekrn.exe
• kaspersky.exe
• kavsvc.exe
• mcafee.exe
• mctskshd.exe
• MSASCui.exe
• nod32.exe
• norton.exe
• PSANHost.exe
• PSUNMain.exe
• rundl32.exe
• symantecOD.exe

HOSTS File Modification

This worm adds the following strings to the Windows HOSTS file:

• 127.0.0.1 avp.com
• 127.0.0.1 ca.com
• 127.0.0.1 customer.symantec.com
• 127.0.0.1 dispatch.mcafee.com
• 127.0.0.1 download.mcafee.com
• 127.0.0.1 f-secure.com
• 127.0.0.1 kaspersky-labs.com
• 127.0.0.1 kaspersky.com
• 127.0.0.1 liveupdate.symantec.com
• 127.0.0.1 liveupdate.symantecliveupdate.com
• 127.0.0.1 mast.mcafee.com
• 127.0.0.1 mcafee.com
• 127.0.0.1 my-etrust.com
• 127.0.0.1 nai.com
• 127.0.0.1 networkassociates.com
• 127.0.0.1 rads.mcafee.com
• 127.0.0.1 scanner.novirusthanks.org
• 127.0.0.1 secure.nai.com
• 127.0.0.1 securityresponse.symantec.com
• 127.0.0.1 sophos.com
• 127.0.0.1 symantec.com
• 127.0.0.1 threatexpert.com
• 127.0.0.1 trendmicro.com
• 127.0.0.1 update.symantec.com
• 127.0.0.1 updates.symantec.com
• 127.0.0.1 us.mcafee.com
• 127.0.0.1 virscan.org
• 127.0.0.1 viruslist.com
• 127.0.0.1 virusscan.jotti.org
• 127.0.0.1 virustotal.com
• 127.0.0.1 www.avp.com
• 127.0.0.1 www.ca.com
• 127.0.0.1 www.f-secure.com
• 127.0.0.1 www.grisoft.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 www.my-etrust.com
• 127.0.0.1 www.nai.com
• 127.0.0.1 www.networkassociates.com
• 127.0.0.1 www.sophos.com
• 127.0.0.1 www.symantec.com
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.virscan.org
• 127.0.0.1 www.viruslist.com
• 127.0.0.1 www.virusscan.jotti.org
• 127.0.0.1 bitdefender.com
• 127.0.0.1 macafee.com
• 127.0.0.1 microsoft.com
• 127.0.0.1 nod32.com
• 127.0.0.1 norton.com
• 127.0.0.1 pandasoftware.com
• 127.0.0.1 www.download.mcafee.com
• 127.0.0.1 www.hotmail.com
• 127.0.0.1 www.kaspersky-labs.com
• 127.0.0.1 www.macafee.com
• 127.0.0.1 www.microsoft.com
• 127.0.0.1 www.nod32.com
• 127.0.0.1 www.norton.com
• 127.0.0.1 www.pandasoftware.com
• 127.0.0.1 www.virustotal.com

NOTES:

Note that the processes this worm terminates depends on the command it receives via its backdoor routine.