Short description
Win32/VB.NSP is a worm that spreads via removable media. The file is run-time compressed using UPX .
Installation
When executed the worm copies itself in the following locations:
- %windir%userinit.exe
- %windir%scout.exe
- %windir%systemlsass.exe
- %windir%pikachu.exe
In order to be executed on every system start, the worm sets the following Registry entries:
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"pikachu" = "%windir%pikachu.exe"
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NT
CurrentVersionWinlogon]
"Userinit" = "%windir%userinit.exe"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionExplorerAdvancedFolderHiddenSHOWALL]
"CheckedValue" = 0
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionExplorerAdvancedFolderHideFileExt]
"UncheckedValue" = 1
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionExplorerAdvancedFolderSuperHidden]
"UncheckedValue" = 0
The following Registry entries are created:
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionpoliciesExplorer]
"NoFolderOptions" = 0
"NoRun" = 0
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystem]
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionpoliciesExplorer]
"NoFolderOptions" = 0
"NoRun" = 0
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
PoliciesSystem]
"DisableTaskMgr" = 1
"DisableRegistryTools" = 1
- [HKEY_CURRENT_USERSoftwarePoliciesMicrosoftMMC]
"RestrictToPermittedSnapins" = 1
- [HKEY_CURRENT_USERSoftwarePoliciesMicrosoftWindows
System]
"DisableCMD" = 1
The following Registry entries are removed:
- [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)" = "DiskDrive"
- [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Network{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)" = "DiskDrive"
- [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Minimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)" = "DiskDrive"
- [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Network{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)" = "DiskDrive"
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
SafeBootMinimal{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)" = "DiskDrive"
- [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
SafeBootNetwork{4D36E967-E325-11CE-BFC1-08002BE10318}]
"(Default)" = "DiskDrive"
Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:
The worm may create copies of itself in the folder:
The name of the file may be based on the name of an existing file or folder. An additional ".exe" extension is appended.
Other information
The following file is modified:
The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:
- 127.0.0.1 download.com.vn
- 127.0.0.1 www.download.com.vn
- 127.0.0.1 9down.com
- 127.0.0.1 www.9down.com
- 127.0.0.1 download.eset.com
- 127.0.0.1 download.com.vn
- 127.0.0.1 www.download.com.vn
- 127.0.0.1 9down.com
- 127.0.0.1 www.9down.com
- 127.0.0.1 download.eset.com
- 127.0.0.1 www.download.com
- 127.0.0.1 download.f-secure.com
- 127.0.0.1 mirror02.gdata.de
- 127.0.0.1 download.avg.com
- 127.0.0.1 spftrl.digitalriver.com
- 127.0.0.1 www.grisoft.cz
- 127.0.0.1 download1us.softpedia.com
- 127.0.0.1 download.softpedia.com
- 127.0.0.1 www.bitdefender.co.uk
- 127.0.0.1 www.bitdefender.com
- 127.0.0.1 www.kaspersky.com
- 127.0.0.1 bkav.com.vn
- 127.0.0.1 www.bkav.com.vn
- 127.0.0.1 www.symantec.com
- 127.0.0.1 free.avg.com
