WORM_VBINJECT
DelfInject, VBInject, Hamweq, Pilleuz, Usuge, Ircbrute, Rimecud, IRCbot, Mailbot, Delf, Slenfbot, Agent, Eggdrop, Downloader, Buzus, DelfInje, VBCheMan, DelpInj, Mailbt
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Propagates via removable drives
The VBINJECT malware family is written in Visual Basic. It was first spotted in 2009 and again in 2010. It consists of worms and Trojans that conceal other malware inside it. Since VBINJECT is a packed malware - malware that use compression and encryption software to shrink and obfuscate its contents - it is difficult to detect other malware it is hiding. VBINJECT variants are used by cybercriminals primarily to conceal other malware that they need to run on affected systems.
VBINJECT is also capable of injecting codes to processes as part of its memory residency routine.
TECHNICAL DETAILS
Yes
Installation
This worm drops the following files:
- %System Root%\{random folder name}\{random folder name}\Desktop.ini
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It drops the following copies of itself into the affected system:
- %System Root%\{random folder name}\{random folder name}\{random file name}.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\{random folder name}
- %System Root%\{random folder name}\{random folder name}
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
Autostart Technique
This worm creates the following registry entries to enable automatic execution of dropped component at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random CLSID}
StubPath = "%System Root%\{random folder name}\{random folder name}\{random file name}.exe"
Other System Modifications
This worm adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{random CLSID}
Other Details
This worm connects to the following possibly malicious URL:
- acc008.{BLOCKED}p.net
- accf0ur.{BLOCKED}ist.org
- april.{BLOCKED}d.info
- april.{BLOCKED}c.cz
- april.{BLOCKED}r.im
- feb4.{BLOCKED}d.info
- feb4.{BLOCKED}c.cz
- feb4.{BLOCKED}dic.net
- gazma.{BLOCKED}rk.biz
- gazma.{BLOCKED}ils.net
- lamer.{BLOCKED}s.com
- lol3.{BLOCKED}ils.net
- maqbol.{BLOCKED}ils.net
- march2.{BLOCKED}d.info
- march2.{BLOCKED}c.cz
- march2.{BLOCKED}r.im
- sik.{BLOCKED}nix.net
- teams.{BLOCKED}l.com