Win32:VB-CD alias Kamasutra

The worm Win32:VB-CD [Wrm] or Win32:VB-CD2 [Wrm] is a mail worm known also as Nyxem-E, Blackmal-F, MyWife-D or Grew or (perhaps locally and usually in news) as Kamasutra.

This worm spreads by e-mail and by network shares. It kills processes of miscelaneous antivirus and security programs and deletes files of them. The worm is destructive, tries to delete files of certain types every 3-rd day in month.

When executed, the worm creates one of the listed files:

  • %windows%\Rundll16.exe
  • %system%\New winzip file.exe
  • %system%\sample.zip
  • %system%\winzip_tmp.exe

and files:

  • %system%\scanregw.exe
  • %system%\update.exe
  • %system%\sample.zip
  • %system%\winzip.exe

The worm is autostarted with Windows using the registry key 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Its item „ScanRegistry” has the value “%System%\scanregw.exe /scan”

The worm collects mail addresses from documents on the infected computer. The infected mail has one of the Subjects:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Sexy
Fwd: image.jpg
Fwd: Photo
give me a kiss
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

The infected attachment is in the file named

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Sometimes, the attachment is MIME encoded and uses one of the names


3.92315089702606E02.UUE
Attachments00.HQX
Attachments001.BHX
Attachments[001].B64
eBook.Uu
Original Message.B64
SeX.mim
Sex.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

In such case, special tool is needed to unpack and execute the worm.

On every 3-rd day of month, the worm tries to delete data files with the extensions *.dmp, *.doc, *.mdb, *.mde, *.pdf, *.pps, *.ppt, *.psd, *.rar, *.xls, *.zip

avast! with VPS file dated on or after 17th January 2006 is able to detect this worm.

Viruses
Viroses "in the Wild" Viroses do Windows Viroses do windows mais antigas 2002 Viroses do windows mais antigas 2001 Viroses do windows mais antigas 2000 Viroses de Script Macro-viroses Formulário de Relatório de Vírus Sumário do Relatório de Vírus Ficheiro de Teste Eicar História VPS
Subscription Services
VPS (iAVS) Subscr. service
Limpador de Vírus avast!
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Viruses  windows viruses  Win32:VB-CD alias Kamasutra