Win32/VB.FW | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation

When executed, the worm copies itself in some of the the following locations:

%system%\cmd.exe
%system%\regedit.exe
%system%\restore\rstrui.exe
%system%\restore\srdiag.exe
%system%\systeminit.exe
%system%\taskmgr.exe
%system%\wininit.exe
%system%\winsystem.exe
%windir%\csrss.exe
%windir%\inf\lsass.exe
%windir%\pchealth\helpctr\binaries\msconfig.exe
%windir%\regedit.exe
%windir%\smss.exe

In order to be executed on every system start, the worm modifies the following Registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

The following Registry entries are set:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = 1
"HideFileExt" = 1
"SuperHidden" = 1
"ShowSuperHidden" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchHidden" = 0
"SearchSystemDirs" = 0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun" = 0
"NoFolderOptions" = 1

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoFolderOptions" = 1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegedit" = 1
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start" = 1

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Window Title" = "Hacked by 1BYTE"

HKEY_CURRENT_USER\Software\Microsoft\ServicePack

HKEY_CURRENT_USER\Software\Microsoft\nFlag

Spreading

The worm copies itself in root folders of all drives using the following filenames:

csrss.exe
handydriver.exe
lsass.exe
smss.exe
kerneldrive.exe
systeminit.exe
wininit.exe
winlogon.exe
winsystem.exe

The following file is created in the same folders:

autorun.inf

This causes the worm to be executed when an infected media is inserted.

Other information

The worm keeps the total number of times it was executed in the Registry. When a certain value is reached, it attempts to delete various files and folders including the following:

%systemdrive%\boot.ini
%systemdrive%\IO.SYS
%systemdrive%\MSDOS.SYS
%systemdrive%\NTDETECT.COM
%systemdrive%\ntldr
Documents and Settings
Program Files