Virus.Win32.VB.dl

tag:Executable File and Boot Viruses

The virus terminates processes if the process window contains one of the strings listed below in its title:

task
process
exp
policy
hijack
girl
x-ray
sex
tsk
iknow
box
regedit
basmi
kill
restore
p3k
repair
sintax
jalan
jan
project
security
registry
tweak
clean
tugas
scan
remov
wav.
automa
curr
sysinter
mp3
nude
porn
\system
\startup
Playboy
lalat
search
17tahun
xx
hot
america
oral
naked
kamas
gay

The virus searches all fixed and removable disks for files which correspond to the masks listed below:

*x*.3gp
*.mp3
*x*.mp4
*x*.mpg
*x*.mpeg
*.m3u
*x*.avi
avseq*.dat
*x*.wma
*x*.wav
*x*.wmv
*x*.amv
*porn*
*girl*
*adult*
*playlist*
*hot*
zuma.exe
*x*.jpg
*x*.jpeg
*x*.bmp
*x*.gif

and substitutes a copy of itself for these files, adding an ".exe" extension in addition to the existing extension.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Use Task Manager to terminate the Trojan process, which may be called "Vergon1885.exe".
Delete the original virus file (the location will depend on how the program originally penetrated the victim machine).
Delete the following system registry key parameters: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmplayer" = "C:\WINDOWS\system32\vergon1885.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "explorer.exe C:\WINDOWS\system32\vergon1885.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vergon1885.exe"
[HKLM\SYSTEM\ControlSet001\Control\SafeBoot]
"AlternateShell" = "C:\WINDOWS\system32\vergon1885.exe"
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "C:\WINDOWS\system32\vergon1885.exe"
[HKLM\Software\Microsoft\command processor]
"autorun" = "C:\WINDOWS\system32\man.bat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\cabinetstate]
"fullpath" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\cabinetstate]
"fullpathaddress" = "1"
[HKLM\Software\Microsoft\Windows\CurrentVersion\SystemFileProtection]
"ShowPopups" = "1"
Delete the following files: c:\windows\system\Lagu.mp3
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\admin32.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\_default.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\user32.exe
C:\WINDOWS\system32\vergon1885.exe
C:\WINDOWS\system\x-executor.exe
C:\Backup\WMP_10 for XP.exe
D:\Secret\ABG_xxx.3gp.exe
D:\Tools\AVSEQ01.mpg.exe
D:\Doc\IEWMP_10_xpsp2.exe
E:\XXX\1-1-2007.mpg.exe
E:\multimedia\Lagu porno.mp3.exe
E:\player\WMP_10.4.exe
F:\Song\Ria Amelia - SMS.mp3.exe
F:\playlist\playstuff.mpg.exe
F:\favorite\Samson - Lelaki buaya darat.mp3.exe
G:\new\DFX for Windows Media Player.XPSP2.exe
G:\download\sexmission.mpg.exe
G:\New Folder\Plug-in WMP_10.XPSP2.exe
h:\video\secretvideo.mpg.exe
h:\My File\he he he.mpg.exe
h:\mp3\Top Indo 2007.mp3.exe
I:\sembunyi\03movie1107.mpg.exe
I:\My folder\filmbiru.mpg.exe
I:\Hidden\private.mpg.exe
C:\WINDOWS\system32\man.bat
C:\WINDOWS\msvbvm60.dll
c:\msvbvm60.dll
C:\WINDOWS\System\SYSVER.DLL
Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

This virus replaces files with copies of itself. This Trojan is a Windows PE EXE file. It is 143872 bytes in size. It is packed using PECompact. The unpacked file is approximately 233KB in size. It is written in Visual Basic.

Installation

When launched, the virus copies its executable file as follows:

c:\windows\system\Lagu.mp3
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\admin32.exe
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\_default.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\user32.exe
C:\WINDOWS\system32\vergon1885.exe
C:\WINDOWS\system\x-executor.exe
C:\Backup\WMP_10 for XP.exe
D:\Secret\ABG_xxx.3gp.exe
D:\Tools\AVSEQ01.mpg.exe
D:\Doc\IEWMP_10_xpsp2.exe
E:\XXX\1-1-2007.mpg.exe
E:\multimedia\Lagu porno.mp3.exe
E:\player\WMP_10.4.exe
F:\Song\Ria Amelia - SMS.mp3.exe
F:\playlist\playstuff.mpg.exe
F:\favorite\Samson - Lelaki buaya darat.mp3.exe
G:\new\DFX for Windows Media Player.XPSP2.exe
G:\download\sexmission.mpg.exe
G:\New Folder\Plug-in WMP_10.XPSP2.exe
h:\video\secretvideo.mpg.exe
h:\My File\he he he.mpg.exe
h:\mp3\Top Indo 2007.mp3.exe
I:\sembunyi\03movie1107.mpg.exe
I:\My folder\filmbiru.mpg.exe
I:\Hidden\private.mpg.exe

In order to ensure that the worm is launched automatically when the system is rebooted, the worm adds a link to its executable file to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wmplayer" = "C:\WINDOWS\system32\vergon1885.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "explorer.exe C:\WINDOWS\system32\vergon1885.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\vergon1885.exe"
[HKLM\SYSTEM\ControlSet001\Control\SafeBoot]
"AlternateShell" = "C:\WINDOWS\system32\vergon1885.exe"
[HKLM\System\CurrentControlSet\Control\SafeBoot]
"AlternateShell" = "C:\WINDOWS\system32\vergon1885.exe"

When launching, the virus extracts the following files from its body:

C:\WINDOWS\system32\man.bat – this file is 1129 bytes in size. It will be detected by Kaspersky
Anti-Virus as Trojan.BAT.Adduser.t'
C:\WINDOWS\msvbvm60.dll – this file is 1388544 bytes in size.
c:\msvbvm60.dll – this file is 1388544 bytes in size.

C:\WINDOWS\System\SYSVER.DLL

– this file is 1388544 bytes in size.

The virus modifies the values of the following system registry keys:

[HKLM\Software\Microsoft\command processor]
"autorun" = "C:\WINDOWS\system32\man.bat"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\cabinetstate]
"fullpath" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\cabinetstate]
"fullpathaddress" = "1"
[HKLM\Software\Microsoft\Windows\CurrentVersion\SystemFileProtection]
"ShowPopups" = "1" Payload

previous:Virus.Win32.VB.ab
previous:Virus.Win32.VCell.3041

Virus Source from:

New articles

Virus.Win32.Chop.3808 It is not a dangerous nonmemory resident parasitic polymorphic Win32 virus. It searches for PE EXE files in the current directory, then writes itself to the en...Virus.Win32.Crypto This text was written with the help of Adrian Marinescu, GeCAD Software.This is a very dangerous memory resident parasitic polymorphic Win32 virus about 20K i...Virus.Win32.Delf.k This file virus replaces .exe files with its own body.The virus itself is a Windows PE EXE file 18944 bytes in size, written in Delphi. Payload...Virus.Win32.Devir This is a per-process memory resident parasitic poly-morphic Win32-virus. The virus infects PE EXE files that have .EXE filename extensions. When run, the viru...Virus.Win32.Ditex.aDitex is a memory resident parasitic Win32 virus. It is written in Microsoft Visual C and is about 33KB in size. The virus infects PE EXE files that have .EX...

Hot Articles

Virus.Win32.VB.dl

Computer Virus Clounds