New mass mailing virus



F-secure has information on a fairly aggressive new email virus. Their name for it is VB.bi although it’s aliases are…. W32.Blackmal.E@mm, WORM_GREW.A, W32/Nyxem-D, Email-Worm.Win32.VB.bi depending on which AV vendor you check with. It’s a worm as well, in that it tries to spread through remote shares. It attempts to disable antivirus software as well. Here are some details from their writeup:


The e-mail subject is one the following:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny 🙂
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

The message body may be one of the following:

Note: forwarded message attached.
Hot XXX Yahoo Groups
Fuckin Kama Sutra pics
ready to be FUCKED 😉
Note: forwarded message attached.
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
i attached the details. Thank you.
>> forwarded message
—– forwarded message —–
i just any one see my photos. It’s Free 🙂

The worm can attach itself as executable file. It uses one the following names in attachment:

007.pif
School.pif
04.pif
photo.pif
DSC-00465.Pif
image04.pif
677.pif
New_Document_file.pif
eBook.PIF
document.pif
DSC-00465.pIf

Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be
one of the following:

Attachments[001].B64
3.92315089702606E02.UUE
SeX.mim
Original Message.B64
WinZip.BHX
eBook.Uu
Word_Document.hqx
Word_Document.uu

The filename inside MIME-encoding is one of the following:

Attachments[001].B64 [spaces] .sCR
3.92315089702606E02.UUE [spaces] .sCR
SeX,zip [spaces] .sCR
WinZip.zip [spaces] .sCR
ATT01.zip [spaces] .sCR
WinZip.zip [spaces] .sCR
Word.zip [spaces] .sCR
Word XP.zip [spaces] .sCR

Spreading in shared folders

The worm searches for remote shared folders and tries to copy itself using one of the following filenames:

\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe

Symantec has a removal tool here

   Send article as PDF   

Similar Posts