WORM_VBNA

This description is based on the compiled analysis of several variants of WORM_VBNA. Note that specific data such as file names and registry values may vary for each variant.

This worm arrives by connecting affected removable drives to a system. It may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites.

It deletes registry entries, causing some applications and programs to not function properly.

It drops copies of itself in all removable and physical drives found in the system. It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

It executes commands from a remote malicious user, effectively compromising the affected system.

It modifies the affected system's HOSTS files. This prevents users from accessing certain websites.

Arrival Details

This worm arrives by connecting affected removable drives to a system.

It may be dropped by other malware.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system and executes them:

• %Application Data%\{malware file name}.exe
• %Start Menu%\{malware file name}.exe
• %Start Menu%\{random}\{malware file name}.exe
• %System Root%\{random}\{malware file name}.exe
• %User Profile%\{random file name}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.. %Start Menu% is the current user's Start Menu folder, which is usually C:\Windows\Profiles\{user name}\Start Menu on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu on Windows NT and C:\Windows\Start Menu or C:\Documents and Settings\{User name}\Start Menu on Windows 2000, XP, and Server 2003.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

It creates the following folders:

• %User Profile%\{random1}

(Note: %User Profile% is the current user's profile folder, which is usually C:\Windows\Profiles\{user name} on Windows 98 and ME, C:\WINNT\Profiles\{user name} on Windows NT, and C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random} = "%User Profile%\{random1}\winlogon.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Windows Update System = "%Application Data%\{random.exe}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Update System = "%Application Data%\{random.exe}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{random file name} = "%User Profile%\{random file name}.exe"

Other System Modifications

This worm adds the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
Windows Update System = "%Application Data%\{malware file name}.exe"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Control Panel
HomePage = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
RunInvalidSignatures = "1"

HKEY_CURRENT_USER\Software\Microsoft
Internet Explorer\Main = Default_Search_URL

(Note: The default value data of the said registry entry is "http://{BLOCKED}1bzn0b8ng.{BLOCKED}orio-w.com".)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Default_Page_URL = "http://{BLOCKED}1ysw3av7o.directorio-w.com"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Associations
LowRiskFileTypes = ".exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableRegistryTools = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoRun = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFile = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoFolderOptions = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%User Profile%\{random1}\winlogon.exe = "RUNASADMIN"

HKEY_CURRENT_USER\Software\Microsoft\
Windows Script Host\Settings
Enabled = "0"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\System
DisableCMD = "1"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Internet Explorer\Control Panel
HomePage = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiSpyWareDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AutoUpdateDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
cval = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
InternetSettingsDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirstRunDisabled = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiSpywareOverride = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Monitoring
DisableMonitoring = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Monitoring\SymantecAntiVirus
DisableMonitoring = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Monitoring\SymantecFirewall
DisableMonitoring = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer
NoFolderOptions = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
ConsentPromptBehaviorAdmin = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
PromptOnSecureDesktop = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}
Debugger = "%User Profile%\{random}\{malware file name}.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows Script Host\Settings
Enabled = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\WindowsUpdate\
AU
NoAutoRebootWithLoggedOnUsers = "1"

It modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Download
CheckExeSignatures = "No"

(Note: The default value data of the said registry entry is Yes.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Local Page = "http://{BLOCKED}c7n3830a.directorio-w.com"

(Note: The default value data of the said registry entry is {user-defined}.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Mai
Start Page = "http://{BLOCKED}8a280nwvc.directorio-w.com"

(Note: The default value data of the said registry entry is {user-defined}.)

It deletes the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
{application name}

It deletes the following registry entries:

HKEY_CLASSES_ROOT\lnkfile
IsShortcut =

HKEY_CLASSES_ROOT\piffile
IsShortcut =

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
lnkfile
IsShortcut =

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
piffile
IsShortcut =

Propagation

This worm drops copies of itself in all removable and physical drives found in the system.

It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.

The said .INF file contains the following strings:

shell\open\default=1
[AutoRun]
open={random}\{random}.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open\command={random}\{random}.exe
shell\open\default=1

It sends the following messages via instant-messaging (IM) applications:

Have you seen this? lol! {URL}
olhar para esta lol! {URL}
spojrzec na lol! {URL}
vejte se na mou lol! {URL}
guardare quest lol! {URL}
You know someone tried to kill obama today!? {URL}
bekijk deze lol! {URL}
mira esta lol! {URL}
schau mal das lol! {URL}
regardez cette lol! {URL}

It sends messages that contain links to sites hosting remote copies of itself using the following instant-messaging (IM) applications:

• Windows Live Messenger

Backdoor Routine

This worm opens the following port(s) where it listens for remote commands:

• 6667
• 8000

It connects to any of the following IRC server(s):

• {BLOCKED}.{BLOCKED}.82.177

It joins any of the following IRC channel(s):

• #Ganja

It executes the following commands from a remote malicious user:

• clean - removes the malware from the affected system
• ddoser - performs UDP flooding on specified ports
• KillAv - terminates processes
• speedtest - accesses the following URL for speedtest: http://speedtestfile.com/10mb.bin
• update - performs malware update
• visit - accesses a given URL to download and execute another file

Process Termination

This worm terminates the following processes if found running in the affected system's memory:

• avp.exe
• ccsvchst.exe
• kaspersky.exe
• mcafee.exe
• norton.exe

HOSTS File Modification

This worm modifies the affected system's HOSTS files to prevent a user from accessing the following websites:

• 127.0.0.1 www.virustotal.com
• 127.0.0.1 www.pandasoftware.com
• 127.0.0.1 www.norton.com
• 127.0.0.1 www.nod32.com
• 127.0.0.1 www.microsoft.com
• 127.0.0.1 www.macafee.com
• 127.0.0.1 www.kaspersky-labs.com
• 127.0.0.1 www.hotmail.com
• 127.0.0.1 www.download.mcafee.com
• 127.0.0.1 pandasoftware.com
• 127.0.0.1 norton.com
• 127.0.0.1 nod32.com
• 127.0.0.1 microsoft.com
• 127.0.0.1 macafee.com
• 127.0.0.1 bitdefender.com
• 127.0.0.1 www.virusscan.jotti.org
• 127.0.0.1 www.viruslist.com
• 127.0.0.1 www.virscan.org
• 127.0.0.1 www.trendmicro.com
• 127.0.0.1 www.symantec.com
• 127.0.0.1 www.sophos.com
• 127.0.0.1 www.networkassociates.com
• 127.0.0.1 www.nai.com
• 127.0.0.1 www.my-etrust.com
• 127.0.0.1 www.mcafee.com
• 127.0.0.1 www.kaspersky.com
• 127.0.0.1 www.grisoft.com
• 127.0.0.1 www.f-secure.com
• 127.0.0.1 www.ca.com
• 127.0.0.1 www.avp.com
• 127.0.0.1 virustotal.com
• 127.0.0.1 virusscan.jotti.org
• 127.0.0.1 viruslist.com
• 127.0.0.1 virscan.org
• 127.0.0.1 us.mcafee.com
• 127.0.0.1 updates.symantec.com
• 127.0.0.1 update.symantec.com
• 127.0.0.1 trendmicro.com
• 127.0.0.1 threatexpert.com
• 127.0.0.1 symantec.com
• 127.0.0.1 sophos.com
• 127.0.0.1 securityresponse.symantec.com
• 127.0.0.1 secure.nai.com
• 127.0.0.1 scanner.novirusthanks.org
• 127.0.0.1 rads.mcafee.com
• 127.0.0.1 networkassociates.com
• 127.0.0.1 nai.com
• 127.0.0.1 my-etrust.com
• 127.0.0.1 mcafee.com
• 127.0.0.1 mast.mcafee.com
• 127.0.0.1 liveupdate.symantecliveupdate.com
• 127.0.0.1 liveupdate.symantec.com
• 127.0.0.1 kaspersky.com
• 127.0.0.1 kaspersky-labs.com
• 127.0.0.1 f-secure.com
• 127.0.0.1 download.mcafee.com
• 127.0.0.1 dispatch.mcafee.com
• 127.0.0.1 customer.symantec.com
• 127.0.0.1 ca.com
• 127.0.0.1 avp.com

It modifies the system's HOSTS files to redirect users once the following Web site(s) are accessed:

• 184.168.105.79 viabcp.com
• 184.168.105.79 www.viabcp.com
• 184.168.105.79 bcpzonasegura.viabcp.com
• 184.168.105.79 bn.com.pe
• 184.168.105.79 www.bn.com.pe
• 184.168.105.79 zonasegura1.bn.com.pe
• 184.168.105.79 bbvabancocontinental.com
• 184.168.105.79 www.bbvabancocontinental.com
• 184.168.105.79 peb1.bbvanetlatam.com
• 184.168.105.79 www.peb1.bbvanetlatam.com
• 184.168.105.79 scotiabank.com.pe
• 184.168.105.79 www.scotiabank.com.pe
• 184.168.105.79 scotiaenlinea.scotiabank.com.pe
• 33.12.212.57 iniciorapido.info
• 9.220.32.83 www.iniciorapido.info
• 254.253.190.122 buscalo.in
• 0.110.172.243 www.buscalo.in
• 151.237.168.188 buscafacil.com
• 59.1.244.214 www.buscafacil.com
• 49.34.146.254 emsisoft.com
• 119.148.129.186 ahnlab.com
• 202.18.124.131 antivir.es
• 178.226.201.90 antiy.net
• 167.3.102.197 authentium.com
• 169.117.17.61 avast.com
• 64.56.80.7 avg.com
• 228.8.157.221 bitdefender.com
• 217.40.58.72 quickheal.com
• 31.154.229.192 clamav.net
• 114.25.37.138 comodo.com
• 22.45.113.164 drweb.com
• 11.78.15.203 aladdin.com
• 81.191.185.68 ca.com
• 232.62.249.13 f-prot.com
• 140.14.69.39 f-secure.com
• 130.115.227.79 fortinet.com
• 200.161.142.199 gdata.es
• 27.99.205.144 ikarus.at
• 191.51.26.171 jiangmin.com
• 180.84.183.210 kaspersky.com
• 250.198.98.142 mcafee.com
• 145.137.161.20 microsoft.com
• 53.89.238.46 eset.es
• 42.121.139.153 norman.com
• 112.235.54.17 nprotect.com
• 195.106.118.219 pandasecurity.com
• 103.126.194.177 pctools.com
• 92.159.28.28 prevx.com
• 162.204.10.149 rising-global.com
• 245.143.6.94 sophos.com
• 221.95.150.120 sunbeltsoftware.com
• 211.128.240.160 symantec.com
• 213.242.223.24 hacksoft.com.pe
• 108.180.218.225 trendmicro.com
• 16.132.107.252 anti-virus.by
• 5.165.196.35 hauri.net
• 75.23.179.155 virusbuster.hu
• 158.150.174.101 www.emsisoft.com
• 134.170.251.127 www.ahnlab.com
• 123.202.152.166 www.antivir.es
• 125.248.135.30 www.antiy.net
• 20.187.131.232 www.authentium.com
• 184.139.207.2 www.avast.com
• 173.172.109.109 www.avg.com
• 243.29.91.230 www.bitdefender.com
• 70.224.87.175 www.quickheal.com
• 234.176.163.133 www.clamav.net
• 224.209.65.241 www.comodo.com
• 38.67.48.105 www.drweb.com
• 189.193.43.50 www.aladdin.com
• 97.213.120.9 www.ca.com
• 86.246.21.116 www.f-prot.com
• 156.104.4.236 www.f-secure.com
• 239.231.255.182 www.fortinet.com
• 147.183.76.208 www.gdata.es
• 136.215.233.247 www.ikarus.at
• 206.73.216.111 www.jiangmin.com
• 33.12.212.57 www.kaspersky.com
• 9.220.32.83 www.mcafee.com
• 254.253.190.122 www.microsoft.com
• 0.110.172.243 www.eset.es
• 151.237.168.188 www.norman.com
• 59.1.244.214 www.nprotect.com
• 49.34.146.254 www.pandasecurity.com
• 119.148.129.186 www.pctools.com
• 202.18.124.131 www.prevx.com
• 178.226.201.90 www.rising-global.com
• 167.3.102.197 www.sophos.com
• 169.117.17.61 www.sunbeltsoftware.com
• 64.56.80.7 www.symantec.com
• 228.8.157.221 www.hacksoft.com.pe
• 217.40.58.72 www.trendmicro.com
• 31.154.229.192 www.anti-virus.by
• 114.25.37.138 www.hauri.net
• 22.45.113.164 www.virusbuster.hu
• 11.78.15.203 www.emsisoft.com
• 81.191.185.68 www.anti-trojan.net
• 232.62.249.13 malwarescan.emsisoft.com
• 140.14.69.39 forum.emsisoft.com
• 130.115.227.79 www.emsisoft.net
• 200.161.142.199 www.emsisoft.it
• 27.99.205.144 www.emsisoft.de
• 191.51.26.171 www.anti-trojan-software.net
• 180.84.183.210 mamutu.com
• 250.198.98.142 www.emsisoft.es
• 145.137.161.20 malwarescan.emsisoft.de
• 53.89.238.46 ww.emsisoft.com
• 42.121.139.153 www.emsisoft.fr
• 112.235.54.17 www.emsisoft.nl
• 195.106.118.219 onlinecheck.emsisoft.com
• 103.126.194.177 onlinecheck.emsisoft.de
• 92.159.28.28 www.emsisoft.org
• 162.204.10.149 scan.anti-trojan.net
• 245.143.6.94 www.trojaner.info
• 221.95.150.120 onlinecheck.emsisoft.org
• 211.128.240.160 onlinecheck.emsisoft.net
• 213.242.223.24 blitzblank.com
• 108.180.218.225 www.emsisoft.at
• 16.132.107.252 www.emsisoft.jp
• 5.165.196.35 www.mamutu.com
• 75.23.179.155 malwarescan.emsisoft.es
• 158.150.174.101 www.mamutu.de
• 134.170.251.127 download5.emsisoft.com
• 123.202.152.166 download1.emsisoft.com
• 125.248.135.30 download4.emsisoft.com
• 20.187.131.232 global.ahnlab.com
• 184.139.207.2 www.hackshields.com
• 173.172.109.109 www.internationalservicecheck.com
• 243.29.91.230 www.irangoals.com
• 70.224.87.175 ixomodels.com
• 234.176.163.133 www.indielisboa.com
• 224.209.65.241 www.latin-mass-society.org
• 38.67.48.105 www.arpia.be
• 189.193.43.50 www.owen.org
• 97.213.120.9 www.prdouglas.co.uk
• 86.246.21.116 www.zarya.info
• 156.104.4.236 www.willsee.com
• 239.231.255.182 halmapr.com
• 147.183.76.208 karuna-shechen.org
• 136.215.233.247 www.barder.com
• 206.73.216.111 www.antivir.es
• 33.12.212.57 www.buraka.tv
• 9.220.32.83 www.dr-bull.com
• 254.253.190.122 www.manchester-offices.co.uk
• 0.110.172.243 saverssite.com
• 151.237.168.188 canada.karuna-shechen.org
• 59.1.244.214 developmentdrums.org
• 49.34.146.254 www.imddomains.co.uk
• 119.148.129.186 cutlines.org
• 202.18.124.131 elblogdemanu.com
• 178.226.201.90 ruben.bzin.net
• 167.3.102.197 welkam.co.jp
• 169.117.17.61 www.cambridge-steiner-school.co.uk
• 64.56.80.7 naturesimages.net
• 228.8.157.221 www.1stavenuelimousines.co.uk
• 13.92.110.124 www.mtr-design.com
• 83.206.25.244 dev.depeuter.org
• 166.77.89.190 www.emeraldclassic.co.uk
• 74.97.165.216 www.peterhearnwaste.co.uk
• 63.130.67.255 etrr.co.uk
• 133.243.237.120 www.avoncourt.com
• 28.114.45.65 sarahmcconnellphotography.net
• 193.66.121.91 www.ixomodels.com
• 182.167.23.131 natsko.com
• 252.213.194.251 www.nottinghampoetryseries.com
• 79.152.1.196 www.sheffieldmind.co.uk
• 243.103.78.223 ixostore.ixomodels.com
• 232.136.235.6 www.flairweddings.co.uk
• 46.250.150.194 www.fimasys.com
• 197.189.213.72 cohartuk.com
• 105.141.34.98 qqjkw.net
• 94.173.191.205 vivo-austin.com
• 164.31.106.69 www.freeality.com
• 247.158.170.15 bestofewan.com
• 155.178.246.229 www.handwritingforkids.com
• 144.211.80.80 cowsmo.com
• 214.0.62.201 www.2xlgames.com
• 41.195.58.146 kimzimmer.net
• 18.147.202.172 basetendencies.com
• 7.180.36.212 trackingtheworld.com
• 9.38.19.76 www.reviewsofbooks.com
• 160.233.14.21 www.collectedcurios.com
• 68.184.159.48 www.renningers.com
• 57.217.248.87 ccslaughterspdx.com
• 127.75.231.207 www.briarhurst.com
• 210.202.226.153 www.smf.org
• 186.222.47.179 ribbonwarehouse.com
• 175.254.205.218 www.garryowen.com
• 177.44.187.82 45pounds.com
• 72.239.183.28 isotopecomics.com
• 236.191.3.54 roysephotos.com
• 225.224.161.161 www.stadiumpage.com
• 39.81.143.26 www.elvis-express.com
• 122.20.139.227 www.tomorrowsedge.net
• 31.228.215.185 www.beautybar.com
• 20.5.117.37 pineleafboys.com
• 90.119.100.157 www.mountainlakeslodge.com
• 241.246.95.102 pvtc.org
• 149.9.172.61 bhsbees.com
• 138.42.73.168 baristamagazine.com
• 208.156.56.32 www.gokidding.com
• 35.27.51.234 defalcos.com
• 199.235.128.4 www.celticmerchant.com
• 188.11.29.43 www.hxproduction.com
• 2.125.12.163 www.wellgousa.com
• 85.64.8.109 blog.titanium-jewelry.com
• 61.16.84.135 www.brightoctober.com
• 50.49.242.174 hishomeforchildren.com
• 52.162.224.39 www.phoenixtrikeworks.com
• 203.33.220.240 www.professorbeyer.com
• 112.53.40.10 www.secondchanceboxer.com
• 101.86.198.50 www.residentphotography.com
• 171.200.181.238 woottonfootball.com
• 254.71.176.183 www.deborahshelton.net
• 230.22.253.142 bobbondart.com
• 219.55.154.249 www.authentium.com
• 221.169.69.113 asap.authentium.com
• 116.108.132.59 www.authentium.com.au
• 24.60.209.17 avast.com
• 13.92.110.124 www.avast.com
• 83.206.25.244 files.avast.com
• 166.77.89.190 download535.avast.com
• 74.97.165.216 avg.com
• 63.130.67.255 www.avg.com
• 133.243.237.120 grisoft.com
• 28.114.45.65 www.grisoft.com
• 193.66.121.91 antivirus-tools.com
• 182.167.23.131 archive.bitdefender.com
• 252.213.194.251 avx.rob-have.net
• 79.152.1.196 b-have.orgbitdefender-ar.com
• 243.103.78.223 bitdefender.com
• 232.136.235.6 bitdefender.org
• 46.250.150.194 bitdefenderchina.com
• 197.189.213.72 bitdefenderguatemala.com
• 105.141.34.98 bitdefendermalaysia.com
• 94.173.191.205 bitdefendertaiwan.com
• 164.31.106.69 bitdefenderuruguay.com
• 247.158.170.15 bitdefenderusa.com
• 155.178.246.229 buy.bitdefender-es.com
• 144.211.80.80 buy.bitdefender.com
• 214.0.62.201 buy.bitdefender.de
• 41.195.58.146 de.bitdefender.com
• 18.147.202.172 fr.bitdefender.com
• 7.180.36.212 futurenow.bitdefender.com
• 9.38.19.76 it.bitdefender.com
• 160.233.14.21 jobs.bitdefender.com
• 68.184.159.48 kb.bitdefender.com
• 57.217.248.87 kb.bitdefender.de
• 127.75.231.207 kb.bitdefender.us
• 210.202.226.153 latin.bitdefender.com
• 186.222.47.179 linux.bitdefender.com
• 175.254.205.218 malwarecity.com
• 177.44.187.82 malwarecity.netmalwarecity.org
• 72.239.183.28 malwarepedia.com
• 236.191.3.54 neunet.orgnews.bitdefender.com
• 225.224.161.161 nl.bitdefender.com
• 39.81.143.26 renewals.bitdefender.com
• 122.20.139.227 sales.bitdefender.com
• 31.228.215.185 square.bitdefender.com
• 20.5.117.37 store.bitdefender.com
• 90.119.100.157 store.de.bitdefender.com
• 241.246.95.102 us.bitdefender.com
• 149.9.172.61 virusscanonline.net
• 138.42.73.168 wedoantivirus.com
• 208.156.56.32 www.antivirus-tools.com
• 35.27.51.234 www.avx.ro
• 199.235.128.4 www.bit-defender.de
• 188.11.29.43 www.bitdefende.de
• 2.125.12.163 www.bitdefender-es.com
• 85.64.8.109 www.bitdefender.be
• 61.16.84.135 www.bitdefender.cl
• 50.49.242.174 www.bitdefender.co.uk
• 52.162.224.39 www.bitdefender.com
• 203.33.220.240 www.bitdefender.com.au
• 112.53.40.10 www.bitdefender.com.sg
• 101.86.198.50 www.bitdefender.com.tw
• 171.200.181.238 www.bitdefender.com.vn
• 254.71.176.183 www.bitdefender.de
• 230.22.253.142 www.bitdefender.es
• 219.55.154.249 www.bitdefender.fr
• 221.169.69.113 www.bitdefender.hk
• 116.108.132.59 www.bitdefender.us
• 24.60.209.17 www.bitdefenderme.com
• 13.92.110.124 www.malwarecity.com
• 83.206.25.244 www.malwarecity.fr
• 166.77.89.190 quickheal.com
• 74.97.165.216 www.quickheal.com
• 63.130.67.255 www.clamav.net
• 133.243.237.120 cgi.clamav.net
• 28.114.45.65 lurker.clamav.net
• 193.66.121.91 wwws.clamav.net
• 182.167.23.131 lists.clamav.net
• 252.213.194.251 bugs.clamav.net
• 79.152.1.196 system-cleaner.comodo.com
• 243.103.78.223 backup.comodo.com
• 232.136.235.6 www.comodoantispam.com
• 46.250.150.194 easy-vpn.comodo.com
• 197.189.213.72 www.trustlogo.com
• 105.141.34.98 ztl.comodo.com
• 94.173.191.205 www.livepcsupport.com
• 164.31.106.69 www.whichssl.com
• 247.158.170.15 www.trustix.com
• 155.178.246.229 disk-encryption.comodo.com
• 144.211.80.80 speedtest.comodo.com
• 214.0.62.201 www.contentverification.com
• 41.195.58.146 idauthority.com
• 18.147.202.172 www.comodo.tv
• 7.180.36.212 online-backup.comodo.com
• 9.38.19.76 www.testmypcsecurity.com
• 160.233.14.21 www.ccssforum.org
• 68.184.159.48 i-vault.comodo.com
• 57.217.248.87 internetsecurity.comodo.com
• 127.75.231.207 www.comodopartners.com
• 210.202.226.153 timestamp.comodoca.com
• 186.222.47.179 secure-email.comodo.com
• 175.254.205.218 timestamp.wosign.com
• 177.44.187.82 rover800.gaima.co.uk
• 72.239.183.28 www.nsclean.com
• 236.191.3.54 www.contentverification.com
• 225.224.161.161 new-estore.drweb.com
• 39.81.143.26 support.drweb.com
• 122.20.139.227 pda.drweb.com
• 31.228.215.185 updates.drweb.com
• 20.5.117.37 drweb.com
• 90.119.100.157 vms.drweb.com
• 241.246.95.102 solutions.drweb.com
• 149.9.172.61 news.drweb.com
• 138.42.73.168 my.drweb.com
• 208.156.56.32 buy.drweb.com
• 35.27.51.234 products.drweb.com
• 199.235.128.4 new-support.drweb.com
• 188.11.29.43 promotions.drweb.com
• 2.125.12.163 network.drweb.com
• 85.64.8.109 customers.drweb.com
• 61.16.84.135 store.drweb.com
• 50.49.242.174 company.drweb.com
• 52.162.224.39 training.drweb.com
• 203.33.220.240 license.drweb.com
• 112.53.40.10 cureit.ru
• 101.86.198.50 free.drweb.com
• 171.200.181.238 info.drweb.com
• 254.71.176.183 new-partners.drweb.com
• 230.22.253.142 drweb.net
• 219.55.154.249 new-company.drweb.com
• 221.169.69.113 new-beta.drweb.com
• 116.108.132.59 new-forum.drweb.com
• 24.60.209.17 secure.av-desk.com
• 13.92.110.124 www.av-desk.com
• 83.206.25.244 new-solutions.drweb.com
• 234.145.157.2 new-www.drweb.com
• 142.165.233.28 www.freedrweb.ru
• 131.198.135.67 daniloff.net
• 201.55.49.188 drweb-inside.com
• 96.182.113.133 drwebinside.com
• 5.134.189.159 aladdin.com
• 250.235.91.199 alladdin.ru
• 64.25.6.63 chickensroamfree.com
• 147.219.69.8 ealaddin.net
• 55.171.146.35 ealaddin.orgeshop.aladdin.com
• 44.204.47.74 secureme.com
• 114.62.218.6 www.aks.com
• 9.1.25.140 www.aladdin.com
• 173.209.102.166 www.ealaddin.com
• 162.241.3.17 www.ealaddin.com
• 232.99.174.137 auwww.ealaddin.nl
• 59.226.238.83 www.esafe.com
• 223.246.58.41 www.hasp.se
• 212.23.148.148 www.safenet-inc.com
• 26.68.130.13 www3.safenet-inc.com
• 109.7.126.214 www.ca.com
• 86.215.14.240 cacomvip.ca.com
• 75.248.104.24 www.netegrity.com
• 77.106.87.144 search.ca.com
• 228.44.82.89 cai.com
• 136.252.227.116 www.f-prot.com
• 125.29.60.155 frisk-software.com
• 195.143.43.19 www.frisk.is
• 22.14.38.221 www.frisk-software.com
• 254.34.115.247 f-secure.com
• 243.66.16.30 f-secure.frf-secure.hk
• 245.112.255.150 f-secure.nlfsecure.com
• 140.51.251.96 fsecure.nlwebyard.com
• 48.3.71.122 www.f-secure.com
• 37.36.229.229 www.fsecure.com
• 107.149.211.94 www.virus.fi
• 190.88.207.39 fortihero.com
• 99.40.27.253 fortilog.com
• 88.73.185.105 fortinet.co.at
• 158.187.168.225 fortinet.com
• 53.58.163.170 fortiprotect.com
• 217.77.240.129 fortiwifi.com
• 206.110.141.236 www.apsecure.com
• 20.224.124.100 www.fortifed.com
• 103.95.119.46 www.fortiid.com
• 11.47.196.72 www.fortimail.com
• 0.79.97.111 www.fortinet-apac.com
• 70.193.80.231 www.fortinet.ch
• 153.132.76.177 www.fortinet.co.il
• 129.84.152.203 www.fortinet.com
• 118.117.54.242 www.fortinet.com
• 120.230.36.107 arwww.fortinet.cz
• 15.101.32.52 www.fortinet.net
• 180.121.108.78 www.fortinet.nl
• 169.154.10.118 www.fortinet.sg
• 239.12.249.50 www.fortinetuk.com
• 66.139.244.251 www.secure-elements.com
• 42.90.65.210 gdata.es
• 31.123.222.61 www.gdata.es
• 33.237.137.181 ikarus.at
• 184.176.200.127 www.ikarus.at
• 92.128.21.85 global.jiangmin.com
• 81.160.178.192 jiangmin.com.cn
• 151.18.93.56 jiangmin.com
• 234.145.157.2 www.jiangmin.com.cn
• 142.165.233.28 www.kaspersky.com
• 131.198.135.67 forum.kaspersky.com
• 201.55.49.188 support.kaspersky.co
• 96.182.113.133 usa.kaspersky.com
• 5.134.189.159 brazil.kaspersky.com
• 250.235.91.199 latam.kaspersky.com
• 64.25.6.63 kaspersky.com
• 147.219.69.8 me.kaspersky.com
• 55.171.146.35 images.kaspersky.com
• 44.204.47.74 www.mcafee.com
• 114.62.218.6 support.mcafee.com
• 9.1.25.140 msr.mcafee.com
• 173.209.102.166 home.mcafee.com
• 162.241.3.17 networkassociates.com
• 232.99.174.137 us.mcafee.com
• 59.226.238.83 tr.mcafee.com
• 223.246.58.41 au.mcafee.com
• 212.23.148.148 mx.mcafee.com
• 26.68.130.13 networkassociates.nai.com
• 109.7.126.214 go.mcafee.com
• 86.215.14.240 fr.mcafee.com
• 75.248.104.24 uk.mcafee.com
• 77.106.87.144 de.mcafee.com
• 228.44.82.89 obscgi.mcafee.com
• 136.252.227.116 nai.com
• 125.29.60.155 www.entercept.com
• 195.143.43.19 jp.mcafee.com
• 22.14.38.221 mcafeeb2b.com
• 254.34.115.247 cn.mcafee.com
• 243.66.16.30 service.mcafee.com
• 245.112.255.150 br.mcafee.com
• 140.51.251.96 www.mcafee.at
• 48.3.71.122 mcafeeretail.com
• 37.36.229.229 it.mcafee.com
• 107.149.211.94 tw.mcafee.com
• 190.88.207.39 privacy.microsoft.com
• 151.92.79.49 tempuri.org
• 140.125.237.157 schemas.xmlsoap.org
• 210.239.220.21 www.microsoft.com
• 105.110.215.222 specs.xmlsoap.org
• 13.129.36.181 www.eugrantsadvisor.ie
• 2.162.193.32 schemas.microsoft.com
• 72.20.176.152 encarta.msn.com
• 155.147.171.98 www.sysinternals.com
• 63.99.248.124 grv.microsoft.com
• 52.131.150.163 www.xmlsoap.org
• 122.245.132.28 www.eugrantsadvisor.se
• 205.184.128.229 www.eugrantsadvisor.com
• 181.136.204.255 research.microsoft.com
• 170.169.106.38 www.engyro.com
• 172.26.88.159 www.exchangeyourcareer.com
• 67.153.84.104 www.eugrantsadvisor.de
• 232.173.160.130 exchangeyourcareer.net
• 221.206.62.170 eugrantsadvisor.de
• 35.64.45.102 eugrantsadvisor.cz
• 118.191.40.47 www.eset.es
• 94.142.117.6 demos.eset.es
• 83.175.18.113 descargas.eset.es
• 85.33.189.233 blogs.protegerse.com
• 236.228.252.179 eos.eset.es
• 144.180.73.137 pedidos.protegerse.com
• 133.212.231.244 reg-int.nod32-es.com
• 203.70.145.109 reg.eset.es
• 30.197.209.54 vicentevirtual.com
• 194.217.29.80 cou85.com
• 183.250.187.119 www.norman.com
• 253.107.101.240 fsc.norman.com
• 148.234.165.185 nprobeta.norman.com
• 57.186.241.211 register.norman.com
• 46.31.143.251 webadmin.norman.no
• 116.77.58.115 sandbox.norman.com
• 199.16.121.60 www.nprotect.com
• 107.223.198.87 global.nprotect.com
• 96.0.99.126 www.nprotect.co.kr
• 166.114.14.58 www.npin.co.kr
• 61.53.77.192 siren24.nprotect.com
• 225.5.154.218 15660808.co.kr
• 214.37.56.69 biz.nprotect.com
• 28.151.226.190 nprotect.net
• 111.22.34.135 www.nprotect.com.br
• 19.42.110.93 liveprotect.net
• 8.75.200.200 nprotect.seoul.go.kr
• 78.120.182.65 chollian.nprotect.co.kr
• 161.59.178.10 www.pandasecurity.com
• 138.11.66.36 research.pandasecurity.com
• 127.44.156.76 support.pandasecurity.com
• 129.158.139.196 pandalabs.pandasecurity.com
• 24.97.134.141 pandasecurity.com
• 188.48.23.168 mop.pandasecurity.com
• 177.81.112.207 timeforyourbusi.pandasecurity.com
• 247.195.95.71 cybercrime.pandasecurity.com
• 74.66.90.17 free.pandasecurity.com
• 50.86.167.43 cloudprotection.pandasecurity.com
• 39.118.69.82 shop.pandasecurity.com
• 41.164.51.203 soporte.pandasecurity.com
• 192.103.47.148 together.pctools.com
• 100.55.123.174 www.prevx.com
• 89.88.25.25 info.prevx.com
• 159.201.7.146 free.prevx.com
• 242.140.3.91 spywarefiles.prevx.com
• 151.92.79.49 spywaredlls.prevx.com
• 140.125.237.157 shield.prevx.com
• 210.239.220.21 www.prevx1.com
• 105.110.215.222 howsafeismypc.com
• 13.129.36.181 www.retento.com
• 2.162.193.32 www.freerav.com
• 72.20.176.152 www.rising-global.com
• 155.147.171.98 www.risingav.com.au
• 63.99.248.124 support.rising-global.com
• 52.131.150.163 superboy2010.com.au
• 122.245.132.28 www.sophos.com
• 205.184.128.229 feeds.sophos.com
• 249.204.16.67 esp.sophos.com
• 238.237.174.106 cn.sophos.com
• 240.94.156.227 tw.sophos.com
• 135.221.152.172 kr.sophos.com
• 44.241.228.198 sophos.com
• 33.18.130.238 podcasts.sophos.com
• 103.132.113.170 www.sunbeltsoftware.com
• 186.3.108.115 go.sunbeltsoftware.com
• 162.210.185.74 oem.sunbeltsoftware.com
• 151.243.86.181 antispam.sunbeltsoftware.com
• 153.101.1.45 antispyware.sunbeltsoftware.com
• 48.40.64.247 antivirus.sunbeltsoftware.com
• 212.248.141.205 sunbeltsoftware.com
• 201.24.43.56 shop.sunbeltsoftware.com
• 15.138.213.176 live.sunbeltsoftware.com
• 98.9.21.122 firewall.sunbeltsoftware.com
• 6.29.97.148 www.symantec.com
• 251.62.255.187 security.symantec.com
• 65.175.169.52 securityrespons.symantec.com
• 216.46.233.253 service1.symantec.com
• 125.254.53.23 enterprisesecur.symantec.com
• 114.99.211.63 eval.symantec.com
• 184.145.126.183 symantec.com
• 11.84.189.128 definitions.symantec.com
• 175.35.10.155 investor.symantec.com
• 164.68.167.194 et.symantec.com
• 234.182.82.126 sfdoccentral.symantec.com
• 129.121.145.4 servicenews.symantec.com
• 37.73.222.30 securityrespons.symantec.com
• 26.105.124.137 sea.symantec.com
• 96.219.38.1 go.symantec.com
• 179.90.102.203 dell.symantec.com
• 87.110.178.161 sun.symantec.com
• 76.143.12.12 marian.symantec.com
• 146.188.250.133 tms.symantec.com
• 229.127.246.78 securitycheck.symantec.com
• 206.79.134.104 smallbiz.symantec.com
• 195.112.224.144 www.symantec.com
• 197.226.207.8 visualtracking.symantec.com
• 92.165.202.209 search.symantec.com
• 0.116.91.236 liveupdate.symantec.com
• 245.149.180.19 sitedirector.symantec.com
• 59.7.163.139 edm.symantec.com
• 142.134.158.85 hostedmailsecur.symantec.com
• 118.154.235.111 www4.symantec.com
• 107.186.137.150 education.symantec.com
• 109.232.119.14 vos.symantec.com
• 4.171.115.216 www.hacksoft.com.pe
• 168.123.191.242 hacksoft.pe
• 157.156.93.93 www.hacksoft.pe
• 227.13.75.214 housecall.trendmicro.com
• 54.208.71.159 www.trendmicro.com
• 219.160.147.117 housecall65.trendmicro.com
• 208.193.49.225 us.trendmicro.com
• 22.51.32.89 blog.trendmicro.com
• 173.178.27.34 emea.trendmicro.com
• 81.197.104.249 housecall60.trendmicro.com
• 70.230.5.100 jp.trendmicro.com
• 140.88.244.220 de.trendmicro.com
• 223.215.239.166 it.trendmicro.com
• 131.167.60.192 itw.trendmicro.com
• 120.199.218.231 esupport.trendmicro.com
• 190.57.200.95 es.trendmicro.com
• 197.176.119.220 br.trendmicro.com
• 173.127.196.247 tw.trendmicro.com
• 162.160.97.30 la.trendmicro.com
• 164.18.80.150 uk.trendmicro.com
• 59.145.76.96 ru.trendmicro.com
• 223.165.152.122 smbstore.trendmicro.com
• 212.198.54.161 apac.trendmicro.com
• 26.55.36.94 store.trendmicro.com
• 109.182.32.39 training.trendmicro.com
• 85.134.108.253 trial.trendmicro.com
• 75.167.10.105 ushousecall02.trendmicro.com
• 77.25.180.225 subwiz.trendmicro.com
• 228.219.244.170 go.trendmicro.com
• 136.171.65.129 feeds.trendmicro.com
• 125.204.222.236 channelpartner.trendmicro.com
• 195.62.137.100 wtc.trendmicro.com
• 22.189.200.45 shop.trendmicro.com
• 186.208.21.72 fr.trendmicro.com
• 175.241.178.111 threatinfo.trendmicro.com
• 245.99.93.231 newsletters.trendmicro.com
• 140.226.157.177 www.anti-virus.by
• 48.178.233.203 bg.virusblokada.com
• 37.23.135.242 www.vba.com.by
• 107.68.49.107 beta.anti-virus.by
• 190.7.113.52 www.bg.virusblokada.com
• 98.215.189.78 www.hauri.net
• 88.248.91.118 www.hauri.co.kr
• 158.106.5.50 company.hauri.net
• 53.44.69.183 www.globalhauri.com
• 217.252.146.210 shop.hauri.co.kr
• 206.29.47.61 hauri.co.kr
• 20.143.218.181 pg.hauri.net
• 103.14.25.126 esecurity.livecall.co.kr
• 11.33.102.85 mall.hauri.co.kr
• 0.66.191.192 company.hauri.co.kr
• 70.112.174.56 haurijapan.com
• 153.51.170.2 virobot.co.kr
• 129.3.58.28 www.virusbuster.hu
• 118.36.148.67 virusbuster.hu
• 120.149.130.188 scanner.novirusthanks.org
• 15.88.126.133 scanner2.novirusthanks.or
• 179.40.14.159 novirusthanks.org
• 169.73.104.199 www.novirusthanks.org
• 239.187.86.63 virustotal.com
• 66.57.82.8 www.virustotal.com
• 42.77.159.35 virscan.org
• 31.110.60.74 www.virscan.org
• 33.156.43.194 virusscan.jotti.org
• 184.95.38.139 jotti.org
• 92.47.115.166 www.jotti.org
• 81.79.16.17 viruschief.com
• 151.193.255.137 www.viruschief.com
• 234.132.251.83 scanner.virus.org
• 142.84.71.41 virus.org
• 131.117.229.148 www.virus.org
• 201.230.211.13 scan4you.net
• 96.101.207.214 www.scan4you.net
• 4.121.27.172 avhide.com
• 250.154.185.24 www.avhide.com
• 64.12.167.144 anubis.iseclab.org
• 147.138.163.89 iseclab.org
• 55.90.240.116 www.iseclab.org
• 44.123.141.155 threatexpert.com
• 114.237.124.19 www.threatexpert.com
• 197.176.119.220 forospyware.com
• 173.127.196.247 www.forospyware.com
• 162.160.97.30 in.answers.yahoo.com
• 232.86.148.218 es.answers.yahoo.com
• 127.213.144.164 kioskea.net
• 35.233.220.190 www.kioskea.net
• 24.10.122.229 es.kioskea.net
• 94.123.104.162 mygeekside.com
• 177.250.100.107 www.mygeekside.com
• 153.202.176.65 www.tecniservicioslys.com
• 142.235.78.173 tecniservicioslys.com
• 145.93.248.37 virusfreezone.info
• 40.31.56.238 www.virusfreezone.info
• 204.239.133.197 intranet.cidiroax.ipn.mx
• 193.16.34.48 spycheck.es
• 7.130.205.168 www.spycheck.es
• 90.1.12.113 antivirus.hispavista.com
• 254.20.89.140 computing.net
• 243.53.246.179 www.computing.net
• 57.167.161.43 spycheck.co.uk
• 208.38.225.245 www.spycheck.co.uk
• 116.246.45.15 midescargas.com
• 105.91.203.54 www.midescargas.com
• 175.136.117.175 static.yoreparo.com
• 2.75.181.120 softfaq.com
• 166.27.1.146 www.softfaq.com
• 156.60.159.186 configurarequipos.com
• 226.174.73.118 www.configurarequipos.com
• 121.112.137.251 seasonsecurity.com
• 29.64.214.22 www.seasonsecurity.com
• 18.97.115.129 removetrojanvirus.org
• 88.211.30.249 www.removetrojanvirus.org
• 171.82.93.194 ibusca.me
• 79.101.170.153 www.ibusca.me
• 68.134.3.4 busco.in
• 138.180.242.124 www.busco.in
• 221.119.238.70 inicioid.com
• 197.71.126.96 www.inicioid.com

Other Details

This worm attempts to access the following websites to download files, which are possibly malicious:

• {BLOCKED}pop.biz.tm
• {BLOCKED}1.{BLOCKED}er1532.com
• {BLOCKED}s1.{BLOCKED]oall.net
• {BLOCKED}1.{BLOCKED}oall.org

NOTES:

This worm drops .LNK files in removable drives that point to a copy of itself. This is done to trick users into clicking the shortcut files and execute the malware copy. These .LNK files use the following file names:

• Documents.lnk
• Music.lnk
• New Folder.lnk
• Passwords.lnk
• Pictures.lnk
• Video.lnk

It also uses the names of existing folders and names of files with the following extensions:

• .avi
• .bmp
• .doc
• .gif
• .jpe
• .jpg
• .mp3
• .mp4
• .mpg
• .pdf
• .png
• .tif
• .txt
• .wav
• .wma
• .wmv
• .xls

This routine enables the copy of the worm to execute first before opening the real folder or file. It then changes the attributes of the original folders and files to Hidden and System to avoid early detection. It also adds the following non-malicious component files in removable drives:

• {random file name}.ico
• x.mpeg

This description is based on the compiled analysis of several variants of WORM_VBNA. Note that specific data such as file names and registry values may vary for each variant.