Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Visal.A

Overview

Threat Risk LOW LOW
Destructivity Unknown UNKNOWN
Payload
Detection files published
Description created 10 Sep 2010 05:16:00
Description updated 15 Sep 2010 05:16:00
Malware type WORM
Alias Worm: Win32/Visal.B (Microsoft)
Email-Worm.Win32.VBMania.a (Kaspersky)
Win32/Visal.A (NOD32)
WORM_MEYLME.B (TrendMicro)
Spreading mechanism EMAIL
NETWORK
Summary

W32/Visal.A

Spreading

It sends spammed email messages with a copy of itself as an attachment through Messaging Application Protocol Interface (MAPI). It drops a copy of itself in the removable drives with Autorun.INF file, to automatically execute this malware when the drive is accessed. Drops copies of itself in network shares.

Payload Details

W32/Visal.A drops the following copies of itself:

C:\open.exe %Windows%\csrss.exe %Windows%\system\updates.exe %Windows%\{user name/system name} cv XXXX.exe

It modifies the following registry entry for its automatic execution at every system start-up:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe C:\WINDOWS\csrss.exe"
Disables the "administrator in Admin Approval Mode"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0x00000000
It adds the following registry entries so that, it can take over the application (i.e., file) you want to run.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com\Debugger: "C:\WINDOWS\csrss.exe"

This worm Visal.A runs instead of the below mentioned files:


00hoeav.com
0w.com
360rpt.ExE
360safe.ExE
360safebox.ExE
360tray.ExE
6fnlpetp.exe
6x8be16.cmd
a2cmd.ExE
a2free.ExE
a2service.ExE
a2upd.ExE and some more files.

It deletes the following registry key in order to turn off the window's automatic updates:


HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Then, it deletes the content of host file, normally located in

%System%\drivers\etc\hosts
Propagation via removable drives

W32/Visal.A drops copies of itself in all removable drives and an AUTORUN.INF file to automatically execute the dropped files. The autorun file contains:

[autorun]
open=open.exe
icon=%windir%\system32\shell32.dll,8
action=Open Drive to view files
shell\open=Open
shell\open\command=open.exe
shell\open\default=1

Propagation via network shares
Win32/Visal.A uses a VBScript file to spread to other computers in the network. If it finds any system in the network which is accessible, it copies itself as N73.Image12.03.2009.JPG.scr in drives C: to H and in shared folders (specifically in New Folder, Print and music)
%Windows%\vb.vbs

This .vbs file contains:

FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\d\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\c\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\New Folder\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\music\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\print\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\E\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\F\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\G\" & "N73.Image12.03.2009.JPG.scr"
FileCopy App.Path & "\svchost.exe", "\\" & strComp & "\H\" & "N73.Image12.03.2009.JPG.scr"

Propagation via Email

Win32/Visal.A also propagates via spammed email messages. The email looks like:

Message Body:

Hello
This is The Document I told you about, you can find it Here. - xxxxx.pdf
Please check it and reply as soon as possible.
Cheers,

Other payloads
W32/Visal.A drops some non PE files in %windows% folder
%Windows%\tryme1.exe %Windows%\ff.exe %Windows%\im.exe %Windows%\pspv.exe %Windows%\rd.exe %Windows%\op.exe %Windows%\re.iq %Windows%\re.exe %Windows%\gc.exe %Windows%\ie.exe %System%\SendEmail.dl

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14