Introduction:

Win32/VB.NAY is a 40960 byte worm that is programmed in the English version of Microsoft Visual Basic 6. The worm is not runtime compressed.

Installation and Autostart Techniques:

Upon execution, the worm copies itself into the System32 folder as "calc.exe" and renames the original Microsoft calc.exe to mscalc.exe. This trick is used to activate the worm every time the user starts the calculator.

When the worm recognizes that it has been run as calc.exe the replication functionality is activated, a copy of the worm, "calc.tmp", might be written to the system folder, and then mscalc.exe will be renamed back to calc.exe. At this time the original calculator is run so the user will not see that anything unusual has happened. This procedure is repeated endlessly and the timing is controlled with the Visual Basic Timer object.

Exact 40960 byte copies of the worm are also written to the Windows directory (usually C:\Windows) as "calc.exe", "mscalc.exe", and "config_.com". The attributes for "config_.com" are set to hidden and system so that the file will not be visible unless the user has configured folder options to show these types of files.

This Illustration shows the dropped worm files into the Windows folder. All infected files will have a spoofed Word icon and an executable file extension, except the hidden, system file "config_.com", which is run from a registry entry each time Windows is started.

This illustration shows the replacement of the calculator program in the Windows System32 Folder. The worm periodically copies the original calculator file over the worm file.

After cleaning this worm, if the Windows calculator does not start, the original calculator will be found in the Sytem32 folder with the name "mscalc.exe", which the worm created as backup file. Rename "mscalc.exe" back to "calc.exe", make sure the file size is larger than 100 KB (NOT the 40KB worm file) and the system should be operative again.

The worm enumerates drives and folders via the ActiveX Windows Scripting Host Library (WSHOM). It will try to drop a copy of itself in every folder with the executable name of the folder.

For example, a copy of the worm named "Program Files.exe" will be placed in the "Program Files" folder.

For each drive from "C:" to "E: ", a copy of the worm named "New Document.exe" will be dropped into the root directory. If the drive type is removable (USB-Stick etc.) and is not a floppy drive or a fixed drive (normal hard disk) the worm tries to write an "autorun.inf" file to the drive so that it will automatically be executed when this media is inserted or accessed.

The autorun.inf file contains the following startup function:

[Autorun]
open = New Document.exe

Another interesting fact is that the worm randomly writes copies of itself onto floppy disks with the same file names as existing executable files and just adds a double .exe file extension to these copies. This might trick a user into running the worm again instead of the intended executable.

For example, if the worm finds an executable "PRCVIEW.EXE" on a floppy drive, it might create a copy of the worm in the same folder with the name "PRCVIEW.EXE.exe".
(Please note the double extension)

The timed Events of this worm will cause a floppy drive with a diskette in it to perform endless seek operations.

The worm can also spread using local mapped network drives.

The following registry key is added to make sure that the worm runs every time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Explorer" = "%WinDir%\config_.com"

The worm doesn't create any special Mutex, but does make use of the "Previous Instance" functionality from Visual Basic to prevent multiple instances of the worm from running on the same machine.

The worm also copies itself into the startup folder, however the name is not startup.exe (normally the worm creates the same filename as the folder name plus extension) but in the startup folder the worm names itself "startupFolder.com" This is done to ensure that the worm is executed each time the system reboots, even if the "run" registry key was deleted.

Analyst's Note:

Because this worm spreads across different drives and removable drives all recently used media should be scanned, to detect other copies of the worm, before using the media or sharing the media with other people. The worm adds autorun.inf and will probably start itself on other machines when the media is accessed.

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.