Installation
Worm:Win32/Visal.A uses the icon of a PDF file to try and trick you into opening it.
It also copies itself as the following files:
-
C:\N95_Image13022010.scr
-
C:\open.exe
-
%windir%
\svchost.exe
It also creats the following autorun files that enable the worm copy "open.exe" to automatically run when the folder is accessed and Autorun is enabled:
Worm:Win32/Visal.A modifies the system registry so that it runs when certain processes are debugged:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry\<process name>
Adds value: "Debugger"
Where <process name> is any of the following:
-
00hoeav.com
-
0w.com
-
360rpt.exe
-
360safe.exe
-
360safebox.exe
-
360tray.exe
-
6.bat
-
6fnlpetp.exe
-
6x8be16.cmd
-
a2cmd.exe
-
a2free.exe
-
a2service.exe
-
a2upd.exe
-
abk.bat
-
adobe gamma loader.exe
-
algsrvs.exe
-
algssl.exe
-
angry.bat
-
anti-trojan.exe
-
antiarp.exe
-
antihost.exe
-
ants.exe
-
apu-0607g.xml
-
apu.stt
-
apvxdwin.exe
-
arswp.exe
-
ashdisp.exe
-
ashenhcd.exe
-
ashlogv.exe
-
ashmaisv.exe
-
ashpopwz.exe
-
ashquick.exe
-
ashserv.exe
-
ashskpcc.exe
-
ashupd.exe
-
ashwebsv.exe
-
ast.exe
-
aswboot.exe
-
aswregsvr.exe
-
aswupdsv.exe
-
autorun.bin
-
autorun.exe
-
autorun.ini
-
autorun.reg
-
autorun.txt
-
autorun.wsh
-
autorunkiller.exe
-
autoruns.exe
-
autorunsc.exe
-
avadmin.exe
-
avastss.exe
-
avcenter.exe
-
avciman.exe
-
avconfig.exe
-
avconsol.exe
-
avengine.exe
-
avgamsvr.exe
-
avgas.exe
-
avgcc.exe
-
avgcc32.exe
-
avgemc.exe
-
avginet.exe
-
avgnt.exe
-
avgrssvc.exe
-
avgrsx.exe
-
avgscan.exe
-
avgserv.exe
-
avguard.exe
-
avgupsvc.exe
-
avgw.exe
-
avgwdsvc.exe
-
avltd.exe
-
avmailc.exe
-
avmonitor.exe
-
avnotify.exe
-
avp.com
-
avp.exe
-
avp32.exe
-
avpcc.exe
-
avpm.exe
-
avscan.exe
-
avzkrnl.dll
-
bad1.exe
-
bad2.exe
-
bad3.exe
-
bdagent.exe
-
bdsubwiz.exe
-
bdsurvey.exe
-
biosread.exe
-
blackd.exe
-
blackice.exe
-
caiss.exe
-
caissdt.exe
-
catcache.dat
-
cauninst.exe
-
cavapp.exe
-
cavasm.exe
-
cavaud.exe
-
cavcmd.exe
-
cavctx.exe
Spreads via...
Network shares
Worm:Win32/Visal.A attempts to spread to other PCs in the network. If it finds an accessible PC in the network, it tries to copy the following files to drives C: to H:
-
N73.Image12.03.2009.JPG.scr - copy of itself
-
autorun.inf - autorun file that allows the worm copy to automatically run when the drive is accessed and Autorun is enabled
It also creates a copy of itself as "N73.Image12.03.2009.JPG.scr" in shared folders with the following names:
Email
Worm:Win32/Visal.A also spreads via spammed email messages. The email may have the following details:
Body:
Hello:
This is The Document I told you about,you can find it Here.<link to worm copy>
Please check it and reply as soon as possible.
Cheers,
Payload
Deletes files
Worm:Win32/Visal.A can delete the following files:
Modifies system policies
Worm:Win32/Visal.A modifies the following registry values:
-
Disables Least User Access (LUA):
Adds value: "EnableLUA"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-
Disables secure desktop prompting:
Adds value: "PromptOnSecureDesktop"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-
Disables data redirection for interactive processes:
Adds value: "EnableVirtualization"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Downloads other malwae
Worm:Win32/Visal.A tries to download files from the following URLs, these files might also be detected as malware:
-
members.lycos.co.uk
-
members.multimania.co.uk
-
www.sharedocuments.com
Analysis by Daniel Radu