Vispat.A worm is difficult to write

The Vispat.A worm spreads fairly quickly and makes a lot of changes to infected computers, making it significantly more difficult to remove the malware.

Vispat.A worm spreads via email. The worm forwards its own file to the e-mail addresses in the Outlook Express address book. To make it work, it even creates a new mailbox from which to send mail.

Vispat.A creates a lot of new entries in the registry and modifies existing keys or values ​​in even more places. This will change some settings in Windows and try to hide itself as best you can. The malware periodically launches Internet Explorer, which displays a Web page and then downloads a file from the World Wide Web.

When the Vispat.A worm starts, it performs the following actions:

1. Create the following files:
% System% \ dllconfig \ cache \ dllcache.exe

2. Add the following entry to the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Run”dllcache.exe” = “%System%\dllconfig\cache\dllcache.exe”

3. Modify the following entry in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main”Start Page” = “[http://]www.internet-explorer.name/”

4. Add the following entries to the registration database:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Internet Settings \ ZoneMap \ Domains \ coppiastrana.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\ZoneMap\Domains\coppiastrana.com\www”*” = “0x00000002”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Internet Settings \ ZoneMap \ Domains \ google-hard.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\ZoneMap\Domains\google-hard.com\www”*” = “0x00000002”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Internet Settings \ ZoneMap \ Domains \ visateresa.biz
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\ZoneMap\Domains\vispateresa.biz\www”*” = “0x00000002”

5. Modify the following entries in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″MinLevel” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″RecommendedLevel” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1001″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1004″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1200″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1201″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1400″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1402″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1405″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1406″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1407″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1609″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1800″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1803″ = “0x00000000”

6. Make the following changes to the registration database:
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “0”
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “0”
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”SuperHidden” = “0”

7. Create a directory and open Internet Explorer. It then loads a web page.

8. Modify the following entries in the registration database
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Explorer\MyComputer\NameSpace\{16C7013F-912E-42ac-A A8E-A10A180DFF51}
HKEY_CLASSES_ROOT\CLSID\{16C7013F-912E-42ac-AA8E-A10A1 80DFF51}”Default” = “Foto Brasile”
HKEY_CLASSES_ROOT\CLSID\{16C7013F-912E-42ac-AA8E-A10A1 80DFF51}\DefaultIcon”Default” = “%SystemRoot%\System32\shell32.dll,127″HKEY_CLASSES_ROOT\C LSID\{16C7013F-912E-42ac-AA8E-A10A180 51DFFXNUMX} }\Shell\Open My Menu”Command” = “C:\Program Files\Internet Explorer\iexplore.exe http://google-hard.com"

9. Modify the registry to create a new mailbox in Outlook Express:
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″SpellDontIgnoreDBCS” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″MSIMN” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″StoreMigratedV5″ = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″ConvertedToDBX” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″Settings Upgraded” = “0x00000007”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″Running” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″Store Root” = “%UserProfile%\Local Settings\Application Data\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A} -XNUMXDXNUMXFCXNUMXA}\Microsoft\Outlook Express”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Welcome Message” = “0x00000000”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Accounts Checked” = “00 00 00 00”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Safe Attachments” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Secure Safe Attachments” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\News”Accounts Checked” = “00 00 00 00”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name”Default” = “%UserProfile%\Application Data\Microsoft\Address Book\%USERNAME%.wab”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4″OlkCont actRefresh” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4″OlkFold erRefresh” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4″FirstRu n” = “0x00000001”

10. Create the following shortcuts or shortcuts:
% UserProfile% \ Desktop \ Internet Explorer.lnk
% UserProfile% \ Desktop \ VM18.lnk
% UserProfile% \ Start Menu \ Hard Explorer.lnk
% UserProfile% \ Start Menu \ Ultimi siti visitati.lnk

11. Download a file from the Internet and save it as follows:
% Windows% \ Downloaded Program Files \ login.exe

12. Create the following file:
% System% \ scansvc \ trust \ mpeg-video03.exe

13. Modify the following entry in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Run”mpeg-video03.exe” = “%System%\scansvc\trust\mpeg-video03.exe”

14. Forward itself to addresses in the Outlook Express address book.

Subject of infected leaves:
Indagine Private

Name of the file attached to the infected mail attachment:
mpeg-video00 [one digit] .zip.