Win32/VB.NUU [Threat Name] go to Threat

Win32/VB.NUU [Threat Variant Name]

Category trojan,worm
Size 135168 B
Detection created Jan 13, 2009
Detection database version 3761
Aliases Backdoor.Win32.VB.lea (Kaspersky)
  Generic.BackDoor!bzm (McAfee)
Short description

Win32/VB.NUU is a worm that spreads via shared folders and removable media.


When executed the worm copies itself in the following locations:

  • %windir%\­winste.exe
  • %allusersprofile%\­winste.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Winlogon" = "%windir%\­winste.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Winlogon" = "%allusersprofile%\­winste.exe"
Spreading via P2P networks

Win32/VB.NUU is a worm that spreads via P2P networks.

The worm searches for shared folders of the following programs:

  • Ares
  • Kazaa
  • LimeWire
  • WinMX
  • Morpheus
  • BearShare
  • Grokster

It tries to place a copy of itself into the folders.

The following filename is used:

  • %variable%

A string with variable content is used instead of %variable% .

Spreading on removable media

Win32/VB.NUU is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following name:

  • Setup.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • update itself to a newer version
  • remove itself from the infected computer
  • send files to a remote computer
  • delete cookies
  • move files
  • capture screenshots

Please enable Javascript to ensure correct displaying of this content and refresh this page.