Cart
Win32.Worm.VB.Ymeak.A
SYMPTOMS: Presence of the following files:
TECHNICAL DESCRIPTION: This is a worm that spreads itself via peer-to-peer file sharing networks, dropping a backdoor identified by BitDefender as Backdoor.RBot.CMQ. It has a file size of 236,136 bytes.The first time it is run, it displays the following message to make the user believe it is a setup file downloaded with errors:  After displaying the message, it copies itself to the All Users' startup folder (usually C:\Documents and Settings\All Users\Start Menu\Programs\Startup\) as svchost.exe, and launches itself from that new location. The original instance ends its execution at this point. When launched from the afore mentioned (Startup) folder, it checks if the %system% (usually C:\Windows\System32) folder contains any of the following files: winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe or p2pnetwork.exe. These are all file names used by the RBot trojan. If it can't find any of them, it assumes the RBot trojan is not present so it dropps it into the Windows folder as b.exe and runs it. To spread itself, it collects random application names from certain torrent and direct download sites. It then places itself in the shared folder of five common P2P file sharing software (listed below) using the previousely collected names, in a subfolder called "_" (underscore). At regular intervals it looks for the executable files of the file sharing programs Limewire, Shareaza, Bearshare, Morpheus and Morpheus Ultra and launches them. To protect itself from being discovered, it opens the following files (requesting exclusive access): cmd.exe, netstat.exe, tracert.exe, ping.exe, ipconfig.exe, taskkill.exe, regedt32.exe and taskmgr.exe from the %system% folder and regedit.exe from the %windir% folder. It keeps them open while it is active, so they can not be executed. Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Vlad Ioan Topan, BitDefender Virus Researcher |