Worm:Win32/VB.CD is a worm that spreads to removable drives, modifies system settings and may delete files.
Installation
When Worm:Win32/VB.CD runs, it may drop copies of itself as the following:
<system folder>\systeminit.exe
<system folder>\winsystem.exe
<system folder>\taskmgr.exe
<system folder>\cmd.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe
%windir%\regedit.exe
The dropped copy of 'regedit.exe' may replace any existing file by the same name, commonly installed as a Windows utility known as Registry Editor. Also it will create the following file:
<system folder>\CatRoot2\tmp.edb
The registry is modified to run a copy of the worm at each Windows start.
Adds value: systeminit
With data: "<system folder>\systeminit.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm may make additional registry value additions.
Adds value: ServicePack
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\Microsoft
Adds value: "nflag"
With data: "<number of times worm executed>
To subkey: HKEY_CURRENT_USER\Software\Microsoft
Spreads Via…
Removable Drives
The worm searches for removable drives in order to spread. When such a drive is found, Win32/VB.CD will drop a copy of itself with the name 'kerneldrive.exe' in the root directory of the targeted drive. Upon copying itself to a drive, the worm creates a file named 'autorun.inf' in the root directory of the drive. The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Modifies IE Window Title
This worm may change the window title of the Web browser Internet Explorer by modifying registry data.
Modifies value: "Window Title"
With data: "hacked by 1byte"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Modifies Windows Explorer Settings
This worm makes numerous changes to Windows settings:
- Stops hidden files from being unhidden, even if selecting 'show hidden files' view option in Explorer
- Disables searching in the Windows system folder, if performing a file search
- Enables drives to autoplay (autorun) when mounting or mapping drives
- Disables the "folders options" menu item in Explorer
- Hides file extensions of known file types
Modifies value: SearchHidden
With data: "0"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Modifies value: "SeachSystemDirs
With data: "0"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
Modifies value: NoDriveTypeAutoRun
With data: "0"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Modifies value: NoFolderOptions
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Modifies value: Hidden
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Modifies value: HildeFileExt
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Modifies value: ShowSuperHidden
With data: "0"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Modifies value: SuperHidden
With data: "1"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Modifies value: Start
With data: "1"
To subkey: HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Services\SharedAccess\
Modifies value: NoFolderOptions
With data: "1"
To subkey: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
Changes IE Start Page
When the worm executes, it iterates its execution count by increasing the value stored in registry data. When the worm reaches the 74th execution, it may change the start page for Internet Explorer by modifying registry data.
Modifies value: "Start Page"
With data: "about:_____________________Hacked_By_1BYTE____________________________"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Deletes Boot Files
When the worm executes, it iterates its execution count by increasing the value stored in registry data. When the program reach the 100th execution, it may try to delete the following boot configuration files:
%systemdrive%\boot.ini
%systemdrive%\IO.SYS
%systemdrive%\MSDOS.SYS
%systemdrive%\NTDETECT.COM
%systemdrive%\ntldr
Deletes Files And Folders
Win32/VB.CD may try to delete files and folders on all available drives excluding the following:
%windir%
%ProgramFiles%
<drive>\Documents and Settings
Analysis by Andrei Florin Saygo