Installation
Worm:Win32/Visal.A uses the icon of a PDF file to try and trick you into opening it.
It also copies itself as the following files:
- C:\N95_Image13022010.scr
- C:\open.exe
- %windir%\svchost.exe
It also creats the following autorun files that enable the worm copy "open.exe" to automatically run when the folder is accessed and Autorun is enabled:
Worm:Win32/Visal.A modifies the system registry so that it runs when certain processes are debugged:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry\<process name>
Adds value: "Debugger"
Where <process name> is any of the following:
- 00hoeav.com
- 0w.com
- 360rpt.exe
- 360safe.exe
- 360safebox.exe
- 360tray.exe
- 6.bat
- 6fnlpetp.exe
- 6x8be16.cmd
- a2cmd.exe
- a2free.exe
- a2service.exe
- a2upd.exe
- abk.bat
- adobe gamma loader.exe
- algsrvs.exe
- algssl.exe
- angry.bat
- anti-trojan.exe
- antiarp.exe
- antihost.exe
- ants.exe
- apu-0607g.xml
- apu.stt
- apvxdwin.exe
- arswp.exe
- ashdisp.exe
- ashenhcd.exe
- ashlogv.exe
- ashmaisv.exe
- ashpopwz.exe
- ashquick.exe
- ashserv.exe
- ashskpcc.exe
- ashupd.exe
- ashwebsv.exe
- ast.exe
- aswboot.exe
- aswregsvr.exe
- aswupdsv.exe
- autorun.bin
- autorun.exe
- autorun.ini
- autorun.reg
- autorun.txt
- autorun.wsh
- autorunkiller.exe
- autoruns.exe
- autorunsc.exe
- avadmin.exe
- avastss.exe
- avcenter.exe
- avciman.exe
- avconfig.exe
- avconsol.exe
- avengine.exe
- avgamsvr.exe
- avgas.exe
- avgcc.exe
- avgcc32.exe
- avgemc.exe
- avginet.exe
- avgnt.exe
- avgrssvc.exe
- avgrsx.exe
- avgscan.exe
- avgserv.exe
- avguard.exe
- avgupsvc.exe
- avgw.exe
- avgwdsvc.exe
- avltd.exe
- avmailc.exe
- avmonitor.exe
- avnotify.exe
- avp.com
- avp.exe
- avp32.exe
- avpcc.exe
- avpm.exe
- avscan.exe
- avzkrnl.dll
- bad1.exe
- bad2.exe
- bad3.exe
- bdagent.exe
- bdsubwiz.exe
- bdsurvey.exe
- biosread.exe
- blackd.exe
- blackice.exe
- caiss.exe
- caissdt.exe
- catcache.dat
- cauninst.exe
- cavapp.exe
- cavasm.exe
- cavaud.exe
- cavcmd.exe
- cavctx.exe
Spreads via...
Network shares
Worm:Win32/Visal.A attempts to spread to other PCs in the network. If it finds an accessible PC in the network, it tries to copy the following files to drives C: to H:
- N73.Image12.03.2009.JPG.scr - copy of itself
- autorun.inf - autorun file that allows the worm copy to automatically run when the drive is accessed and Autorun is enabled
It also creates a copy of itself as "N73.Image12.03.2009.JPG.scr" in shared folders with the following names:
Email
Worm:Win32/Visal.A also spreads via spammed email messages. The email may have the following details:
Body:
Hello:
This is The Document I told you about,you can find it Here.<link to worm copy>
Please check it and reply as soon as possible.
Cheers,
Payload
Deletes files
Worm:Win32/Visal.A can delete the following files:
Modifies system policies
Worm:Win32/Visal.A modifies the following registry values:
- Disables Least User Access (LUA):
Adds value: "EnableLUA"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Disables secure desktop prompting:
Adds value: "PromptOnSecureDesktop"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Disables data redirection for interactive processes:
Adds value: "EnableVirtualization"
With data: "0x00000000"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Downloads other malwae
Worm:Win32/Visal.A tries to download files from the following URLs, these files might also be detected as malware:
- members.lycos.co.uk
- members.multimania.co.uk
- www.sharedocuments.com
Analysis by Daniel Radu
