Threat behavior
Worm:Win32/VB.VV is a worm that attempts to spread via Yahoo! Messenger. It may also connect to a remote server to download arbitrary files.
Installation
Worm:Win32/VB.VV may drop itself in the system folder as any of the following files:
- %windir%\config\win.exe
- %windir%\dc.exe
- %windir%\help\other.exe
- %windir%\inf\other.exe
- %windir%\sviq.exe
- %windir%\system\fun.exe
- <system folder>\winsit.exe
It then modifies the system registry by adding the following registry entries so that it runs every time Windows starts:
Adds value: "dc"
With data: "%windir%\dc.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "dc2k5"
With data: "%windir%\sviq.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "fun"
With data: "%windir%\system\fun.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Modifies value: "shell"
From data: "explorer.exe"
To data: "explorer.exe <system folder>\winsit.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Instant messenger programs
Worm:Win32/VB.VV may check if Yahoo! Messenger is running in the system. If this is true, Worm:Win32/VB.VV attempts to spread to other computers by sending a link containing a copy of itself to all of the user's contacts.
Payload
Downloads arbitrary files
Worm:Win32/VB.VV attempts to connect to "dungcoivb.googlepages.com" to download other files. These files may be other components.
Analysis by Andrei Florin Saygo
Prevention
