Worm:Win32/VB.FT is a worm, written and compiled using Visual Basic 6, that spreads by copying itself to logical and removable drives. This worm maximizes its chance of execution by copying itself using existing folder names; it then hides those folders by changing their attributes.
Installation
When executed, Worm:Win32/VB.FT drops a copy of itself into the current folder as 'fun.xls.exe'. The worm registers itself to run at each Windows start by adding a registry value with data.
Adds value: FolderRaper
With data: C:\fun.xls.exe
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via…
Logical and Removable Drives
Worm:Win32/VB.FT drops the following files to the root of all found logical and removable drives:
- fun.xls.exe - copy of the worm
- autorun.inf - script that launches 'fun.xls.exe' when connecting or mounting drives to computers using the Windows feature 'Autorun'
File Folder Manipulation
Worm:Win32/VB.FT drops copies of itself into the current folder, using the names of existing subfolders and the 'folder' file icon. The worm then alters the attributes of the original subfolders to 'hidden' and 'system', as in the illustration below.
Before infection:
|
After infection:
|
|
|
The user may then execute the worm when opening these 'folders', which are actually copies of the worm. In order to maintain the illusion, the worm opens another instance of Windows Explorer with the folder selected by the user.
Payload
Modifies System Settings
Worm:Win32/VB.FT drops a registry import file as 'Funny!.reg' in the current folder. The worm launches REGEDIT in order to import the registry changes by executing the following command:
regedit /s <path of worm>\Funny!.reg
The imported changes alters the registry in the following ways:
-
To ensure hidden files remain hidden, and to suppress hidden files visibility -
Adds value: "NeverShowExt"
With data: ""
To subkey: HKEY_CLASSES_ROOT\exefile
Adds value: "HideFileExt"
With data: dword:00000001
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "CheckedValue"
With data: dword:00000000
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL
-
To disable Registry Editor, and Task Manager -
Adds value: "DisableRegistryTools"
With data: dword:00000001
Adds value: "DisableTaskMgr"
With data: dword:00000001
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
If the user attempts to run REGEDIT, or try to start Task Manager, the following dialogs may be
displayed:
Worm:Win32/VB.FT copies itself as 'C:\Program Files\EXPLORER.EXE', launches the new copy, and exits. The worm queries its path and executable file name, and performs additional actions when these conditions are met.
Hinders Removal
This worm uses a timer to log its last execution time, monitor the registry, and restore any changes:
Adds value: "ActivedEXE"
With data: "C:\Program Files\EXPLORER.EXE"
Adds value: "LastStartTime"
With data: "[last execution timestamp]"
To subkey: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ShitMaker\Info
Displays Annoying Messages
Periodically, Win32/VB.FT plays tricks by flashing the active window, or popping message windows with texts like “yourbossishere!” or “whoisyourmaster?”
Indirect Backdoor Functionality
It monitors the registry, and checks the data of the following values
Silence Password
Naughty
StopPassword
SuperGlasses
BrokeGlasses
ChangeFolder
In the subkey 'HKEY_CURRENT_USER\Software\VB and VBA Program Settings\ShitMaker\Set'
for commands that could be provided by external applications as 'String' values.
All values are compared with a particular string, and if matched, the worm will execute a specific command. For example, if StopPassword string value is properly set, the worm will terminate immediately.
The worm is designed so it will communicate with another program or entity. Win32/VB.FT contains code that monitors and intercepts clipboard data, and monitors actions triggered on a specific date or based on random environment inputs.
Additional Information
Win32/VB.FT has elements of a targeted attack, performing specific actions, depending on the environment it runs on. For example, it pops message boxes when it detects a file named “RIMBL.txt” of a certain format.