Win32/VB.NSP [Threat Name] go to Threat

Win32/VB.NSP [Threat Variant Name]

Category trojan,worm
Size 107008 B
Detection created Nov 18, 2008
Detection database version 3622
Aliases Worm.Win32.VB.aqj (Kaspersky)
  W32/Autorun.worm!ew (McAfee)
  Trojan.Horse (Symantec)
Short description

Win32/VB.NSP is a worm that spreads via removable media. The file is run-time compressed using UPX .

Installation

When executed the worm copies itself in the following locations:

  • %windir%\­userinit.exe
  • %windir%\­scout.exe
  • %windir%\­system\­lsass.exe
  • %windir%\­pikachu.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "pikachu" = "%windir%\­pikachu.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "%windir%\­userinit.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "UncheckedValue" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
    • "UncheckedValue" = 0

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer]
    • "NoFolderOptions" = 0
    • "NoRun" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­MMC]
    • "RestrictToPermittedSnapins" = 1
  • [HKEY_CURRENT_USER\­Software\­Policies\­Microsoft\­Windows\­System]
    • "DisableCMD" = 1

The following Registry entries are removed:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Minimal\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • "(Default)" = "DiskDrive"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Network\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • "(Default)" = "DiskDrive"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • "(Default)" = "DiskDrive"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network\­{4D36E967-E325-11CE-BFC1-08002BE10318}]
    • "(Default)" = "DiskDrive"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • hiv.exe

The worm may create copies of itself in the folder:

  • %drive%:\­

The name of the file may be based on the name of an existing file or folder.


An additional ".exe" extension is appended.


Other information

The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:

  • 127.0.0.1 download.com.vn
  • 127.0.0.1 www.download.com.vn
  • 127.0.0.1 9down.com
  • 127.0.0.1 www.9down.com
  • 127.0.0.1 download.eset.com
  • 127.0.0.1 www.download.com
  • 127.0.0.1 download.f-secure.com
  • 127.0.0.1 mirror02.gdata.de
  • 127.0.0.1 download.avg.com
  • 127.0.0.1 spftrl.digitalriver.com
  • 127.0.0.1 www.grisoft.cz
  • 127.0.0.1 download1us.softpedia.com
  • 127.0.0.1 download.softpedia.com
  • 127.0.0.1 www.bitdefender.co.uk
  • 127.0.0.1 www.bitdefender.com
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 bkav.com.vn
  • 127.0.0.1 www.bkav.com.vn
  • 127.0.0.1 www.symantec.com
  • 127.0.0.1 free.avg.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.