Worm:Win32/VB.CB is a worm that attempts to spread via Yahoo! Messenger. It may also connect to a remote server to download arbitrary files.

System changes

The following system changes may indicate the presence of this malware:

• The presence of the following files:
  • %windir%\dc.exe
  • %windir%\sviq.exe
  • %windir%\help\other.exe
  • %windir%\inf\other.exe
  • %windir%\system\fun.exe
  • <system folder>\winsit.exe
  • <system folder>\config\win.exe
• The presence of the following registry modifications:

  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "dc"
  With data: "%windir%\dc.exe"

  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "dc2k5"
  With data: "%windir%\sviq.exe"

  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "fun"
  With data: "%windir%\system\fun.exe"

  In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  Modifies value: "shell"
  From data: "explorer.exe"
  To data: "explorer.exe <system folder>\winsit.exe"

  Io subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
  Sets value: "load"
  With data: "%windir%\inf\other.exe"

Worm:Win32/VB.CB is a worm that attempts to spread via Yahoo! Messenger. It may also connect to a remote server to download arbitrary files.

Installation

When executed, Worm:Win32/VB.CB may drop itself to the following locations:

• %windir%\dc.exe
• %windir%\sviq.exe
• %windir%\help\other.exe
• %windir%\inf\other.exe
• %windir%\system\fun.exe
• <system folder>\winsit.exe
• <system folder>\config\win.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

The malware then modifies the system registry by registry entries so that it runs on every Windows start, for example:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "dc"
With data: "%windir%\dc.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "dc2k5"
With data: "%windir%\sviq.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "fun"
With data: "%windir%\system\fun.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "shell"
From data: "explorer.exe"
To data: "explorer.exe <system folder>\winsit.exe"

It also creates the following registry entry as part of its installation process:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Sets value: "load"
With data: "%windir%\inf\other.exe"

Spreads via...

Instant messenger programs

Worm:Win32/VB.CB may check if Yahoo! Messenger is running on the computer. If Yahoo! Messenger is running, Worm:Win32/VB.CB attempts to spread to other computers by sending a link containing a copy of itself to all of the user's contacts.

It may use the following text in the instant message:

Chuc mung, ban da tam thoi thoat khoi Worm DungCoi
Olalala, may tinh cua ban da dinh Worm DungCoi...........

Payload

Downloads arbitrary files

Worm:Win32/VB.CB attempts to connect to "dungcoivb.googlepages.com" to download other files. At the time of this writing, the requested file was unavailable for analysis.

Additonal information

The worm adds the following string to the file "%Windir%\wininit.ini":

NUL=C:\WINDOWS\Help\Other.exe

External references

On July 24, 2012, Computerworld reported that Worm:Win32/VB.CB was found in the Apple App store. The app has since been removed.

Analysis by Wei Li

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

• Microsoft Security Essentials
• Microsoft Safety Scanner