WORM_VBINJECT


 ALIASES:

DelfInject, VBInject, Hamweq, Pilleuz, Usuge, Ircbrute, Rimecud, IRCbot, Mailbot, Delf, Slenfbot, Agent, Eggdrop, Downloader, Buzus, DelfInje, VBCheMan, DelpInj, Mailbt

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Propagates via removable drives


The VBINJECT malware family is written in Visual Basic. It was first spotted in 2009 and again in 2010. It consists of worms and Trojans that conceal other malware inside it. Since VBINJECT is a packed malware - malware that use compression and encryption software to shrink and obfuscate its contents - it is difficult to detect other malware it is hiding. VBINJECT variants are used by cybercriminals primarily to conceal other malware that they need to run on affected systems.

VBINJECT is also capable of injecting codes to processes as part of its memory residency routine.

  TECHNICAL DETAILS

Memory Resident:

Yes

Installation

This worm drops the following files:

  • %System Root%\{random folder name}\{random folder name}\Desktop.ini

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

  • %System Root%\{random folder name}\{random folder name}\{random file name}.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It creates the following folders:

  • %System Root%\{random folder name}
  • %System Root%\{random folder name}\{random folder name}

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random CLSID}
StubPath = "%System Root%\{random folder name}\{random folder name}\{random file name}.exe"

Other System Modifications

This worm adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random CLSID}

Other Details

This worm connects to the following possibly malicious URL:

  • acc008.{BLOCKED}p.net
  • accf0ur.{BLOCKED}ist.org
  • april.{BLOCKED}d.info
  • april.{BLOCKED}c.cz
  • april.{BLOCKED}r.im
  • feb4.{BLOCKED}d.info
  • feb4.{BLOCKED}c.cz
  • feb4.{BLOCKED}dic.net
  • gazma.{BLOCKED}rk.biz
  • gazma.{BLOCKED}ils.net
  • lamer.{BLOCKED}s.com
  • lol3.{BLOCKED}ils.net
  • maqbol.{BLOCKED}ils.net
  • march2.{BLOCKED}d.info
  • march2.{BLOCKED}c.cz
  • march2.{BLOCKED}r.im
  • sik.{BLOCKED}nix.net
  • teams.{BLOCKED}l.com