Backdoor:Win32/VB.CCB is a worm that spreads via network drives. It also modifies various system settings, including the system boot menu.
Backdoor:Win32/VB.CCB spreads by copying itself to the root folder of drives A, and C through L (inclusive) on the infected machine. It attempts to imitate existing folders on the targeted drives by copying itself using the same name as an existing folder with the addition of an " .exe" extension. For example, if the targeted drive contains the folder "Foo", the worm will create a copy of itself in the same location as "Foo.exe."
It then sets the file attributes of the original folder to Archive, Read-Only, Hidden, and System, which effectively replaces the folder with an instance of the malware. When the "folders" are viewed and double-clicked, the worm is executed - it also opens and displays the contents of the original folder in order to continue this ruse.
Backdoor:Win32/VB.CCB copies itself with following file names to the <system folder>:
save.exe
Win2x.exe
Backdoor:Win32/VB.CCB also creates the following data files in the <system folder>:
Wink.dll
dll.sys
emm.sys
The worm modifies the registry in order to execute at each Windows start:
Adds value: Win2x
With data: <system folder>\win2x.exe
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The worm also installs itself as a service by modifying the registry:
Adds values with data:
ErrorControl = 01,00,00,00
ImagePath = <system folder>\save.exe
ObjectName = LocalSystem
Start = 02, 00, 00, 00
Type = 10, 01, 00, 00
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Win2x
Backdoor:Win32/VB.CCB may perform a number of different actions on an affected machine, including:
- Opening and closing the CD drive
- Rewriting the "C:\boot.ini" system file with the following message (that is displayed when the machine is started):
"Su PC estß reiniciando devido al Efecto Invernadero"
- Renaming the group policy editor snap-in from "gpedit.msc" to "mst.dll"
- Restarting the infected computer
The worm may also make a number of changes to the affected system's settings, including:
- Removing the System Tray clock
- Disabling the Search option in the Start menu
- Stopping users from running programs via the Start menu or Task Manager
- Disabling the Log Off and Shut Down options on the Start menu
- Restricting which programs can be run
- Restricting which control panel applets are available
- Hiding files and folders with the "hidden" attribute
- Hiding file extensions
- Stopping users from modifying Folder Options in Explorer
- Disabling Task Manager, System Restore, Registry Editor and access to the Command Prompt
Note: Backdoor:Win32/VB.CCB may also be detected as Worm:Win32/Moriogu.A.
