Win32/VB.NSM [Threat Name] go to Threat

Win32/VB.NSM [Threat Variant Name]

Category trojan,worm
Size 20480 B
Detection created Nov 17, 2008
Detection database version 3617
Aliases Virus.Win32.VB.hh (Kaspersky)
  W32.SillyFDC (Symantec)
  Trojan:Win32/Vorus.FP (Microsoft)
Short description

Win32/VB.NSM is a worm that spreads by copying itself into certain folders.

Installation

When executed the worm copies itself in the following locations:

  • C:\­WINDOWS\­system32\­Dragon Son.exe
  • C:\­WINDOWS\­system32\­Play Boys.exe
  • C:\­WINDOWS\­system32\­PDA.exe
  • C:\­WINDOWS\­system32\­Shai Ling.exe
  • C:\­WINDOWS\­system32\­Internet V9.exe
  • C:\­WINDOWS\­system32\­MP3.exe
  • C:\­Documents and Settings\­All Users\­Start Menu\­Play Boys.exe
  • C:\­Documents and Settings\­All Users\­Desktop\­PDA.exe
  • C:\­Documents and Settings\­All Users\­Documents\­Shai Ling.exe
  • C:\­Documents and Settings\­All Users\­Desktop\­Dragon Son.exe
  • C:\­Documents and Settings\­All Users\­Desktop\­Internet V9.exe
  • C:\­Documents and Settings\­All Users\­Start Menu\­Programs\­Accessories\­MP3.exe
  • C:\­PDA.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Play Boys.exe" = "C:\­WINDOWS\­system32\­Play Boys.exe"
Other information

The worm may create the following folders:

  • %drive%\­Khmer MP3
  • %drive%\­Kong Fu Story
  • %drive%\­Phone Soft
  • %drive%\­Play Boy Sex
  • %drive%\­The Internet Last Version

The worm terminates any program that creates a window containing any of the following strings in its name:

  • Windows Task Manager
  • Run
  • Windows
  • Command Prompt

Please enable Javascript to ensure correct displaying of this content and refresh this page.