Win32/VB.DG [Threat Name] go to Threat

Win32/VB.DG [Threat Variant Name]

Category virus,worm
Size 131072 B
Detection created Feb 17, 2003
Detection database version 1191
Aliases AIM-Canbot.trojan (McAfee)
  Trojan:Win32/VB.DG (Microsoft)
  W32.Spybot.Worm (Symantec)
Short description

Win32/VB.DG is a worm that spreads via IM networks. The worm serves as a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­winupdat.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "winupdat" = "%windir%\­winupdat.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­America Online\­AOL Instant Messenger (TM)\­CurrentVersion\­Proxy]
    • "Protocol" = "SOCKS5"
    • "host" = "localhost"
    • "port" = 3337
    • "Enabled" = 1
  • [HKEY_CURRENT_USER\­Software\­America Online\­AOL Instant Messenger (TM)\­CurrentVersion\­Server]
    • "Port" = 5190
    • "Host" = "login.oscar.aol.com"
Information stealing

The worm collects the following information:

  • user name

The worm is able to log keystrokes.


The worm can send the information to a remote machine.

Spreading via IM networks

Win32/VB.DG is a worm that spreads through the AIM network.


The worm sends links to AOL Instant Messenger users.


The messages may contain any of the following texts:

  • Hey, this is a pic of the cam im getting! http://%localip%:3338/JVCGRDV800USMiniDVDigital.pif
  • Yo!! Im gettin this camara! http://%localip%:3338/JVCGRDV800USMiniDVDigital.pif
  • suP im geTten THis cAm from BestBuy http://%localip%:3338/JVCGRDV800USMiniDVDigital.pif
  • loL.. Check this cam im gettin from bestbuy http://%localip%:3338/JVCGRDV800USMiniDVDigital.pif

If the link is clicked a copy of the worm is retrieved from the attacking machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains an URL address. The HTTP, TCP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • send files to a remote computer
  • delete folders
  • delete files
  • send the list of disk devices and their type to a remote computer
  • send the list of running processes to a remote computer
  • terminate running processes
  • modify network traffic
  • open ports
  • set up a proxy server

The worm opens some TCP ports:

  • 3337
  • 3338

Please enable Javascript to ensure correct displaying of this content and refresh this page.