Worm.VB.AN

( Email-Worm.Win32.VB.an, W32.Alcra.B, W32/Alcan.worm!p2p, WORM_VB.AS )

SYMPTOMS:

These programs don't work:
        netstat
        ping
        tracert
        tasklist
        taskkill
        regedit
        cmd

TECHNICAL DESCRIPTION:

    * spreads via file sharing on P2P networks
    * includes functionality to download, install and execute new malware executables

    * when the worm is executed, it performs the following operations:
        * creates %ProgramFiles%\winupdates directory with hidden and system attributes set.
        * copies itself as:
            * %ProgramFiles%\winupdates\winupdates.exe - this file has hidden and system attributes set
            * %ProgramFiles%\winupdates\a.tmp
            * %ProgramFiles%\winupdates\a.zip - an archive that contains a file - Setup.exe, which is a copy of the worm
        * drops bszip.dll to %Sys32% directory - the file is clean

    * may attempt to overwrite %Sys32%\taskmgr.exe
    * in order to run at startup, adds the following key to system registry
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winupdates %ProgramFiles%\winupdates\winupdates.exe /auto"

    * attempts to connect to http://windowsupdate.microsoft.com in order to verify if internet connection is available


    * disables some utility programs, creating the following files in the %sysdir% directory:
        netstat
        ping
        tracert
        tasklist
        taskkill
        regedit
        cmd
      (.com files have priority to execution to .exe files, so that when the user tries to run regedit, the system will actually run regedit.com, not regedit.exe as expected)
   
     * the worm will try to copy a.zip to shared P2P folders

Removal instructions:

Please let BitDefender disinfect your files.

ANALYZED BY:

Alexandru Maximciuc ,virus researcher