Vispat.A worm is difficult to write
The Vispat.A worm spreads fairly quickly and makes a lot of changes to infected computers, making it significantly more difficult to remove the malware.
Vispat.A worm spreads via email. The worm forwards its own file to the e-mail addresses in the Outlook Express address book. To make it work, it even creates a new mailbox from which to send mail.
Vispat.A creates a lot of new entries in the registry and modifies existing keys or values in even more places. This will change some settings in Windows and try to hide itself as best you can. The malware periodically launches Internet Explorer, which displays a Web page and then downloads a file from the World Wide Web.
When the Vispat.A worm starts, it performs the following actions:
1. Create the following files:
% System% \ dllconfig \ cache \ dllcache.exe
2. Add the following entry to the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Run”dllcache.exe” = “%System%\dllconfig\cache\dllcache.exe”
3. Modify the following entry in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main”Start Page” = “[http://]www.internet-explorer.name/”
4. Add the following entries to the registration database:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Internet Settings \ ZoneMap \ Domains \ coppiastrana.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\ZoneMap\Domains\coppiastrana.com\www”*” = “0x00000002”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Internet Settings \ ZoneMap \ Domains \ google-hard.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\ZoneMap\Domains\google-hard.com\www”*” = “0x00000002”
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVe rsion \ Internet Settings \ ZoneMap \ Domains \ visateresa.biz
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\ZoneMap\Domains\vispateresa.biz\www”*” = “0x00000002”
5. Modify the following entries in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″MinLevel” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″RecommendedLevel” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1001″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1004″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1200″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1201″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1400″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1402″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1405″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1406″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1407″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1609″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1800″ = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Internet Settings\Zones\2″1803″ = “0x00000000”
6. Make the following changes to the registration database:
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”Hidden” = “0”
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”ShowSuperHidden” = “0”
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced”SuperHidden” = “0”
7. Create a directory and open Internet Explorer. It then loads a web page.
8. Modify the following entries in the registration database
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentV ersion\Explorer\MyComputer\NameSpace\{16C7013F-912E-42ac-A A8E-A10A180DFF51}
HKEY_CLASSES_ROOT\CLSID\{16C7013F-912E-42ac-AA8E-A10A1 80DFF51}”Default” = “Foto Brasile”
HKEY_CLASSES_ROOT\CLSID\{16C7013F-912E-42ac-AA8E-A10A1 80DFF51}\DefaultIcon”Default” = “%SystemRoot%\System32\shell32.dll,127″HKEY_CLASSES_ROOT\C LSID\{16C7013F-912E-42ac-AA8E-A10A180 51DFFXNUMX} }\Shell\Open My Menu”Command” = “C:\Program Files\Internet Explorer\iexplore.exe http://google-hard.com"
9. Modify the registry to create a new mailbox in Outlook Express:
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″SpellDontIgnoreDBCS” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″MSIMN” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″StoreMigratedV5″ = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″ConvertedToDBX” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″Settings Upgraded” = “0x00000007”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″Running” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0″Store Root” = “%UserProfile%\Local Settings\Application Data\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A} -XNUMXDXNUMXFCXNUMXA}\Microsoft\Outlook Express”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Welcome Message” = “0x00000000”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Accounts Checked” = “00 00 00 00”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Safe Attachments” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\Mail”Secure Safe Attachments” = “0x00000001”
HKEY_CURRENT_USER\Identities\{43AECEA6-69DE-474B-AC86- 21D837FC310A}\Software\Microsoft\Outlook Express\5.0\News”Accounts Checked” = “00 00 00 00”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name”Default” = “%UserProfile%\Application Data\Microsoft\Address Book\%USERNAME%.wab”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4″OlkCont actRefresh” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4″OlkFold erRefresh” = “0x00000000”
HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4″FirstRu n” = “0x00000001”
10. Create the following shortcuts or shortcuts:
% UserProfile% \ Desktop \ Internet Explorer.lnk
% UserProfile% \ Desktop \ VM18.lnk
% UserProfile% \ Start Menu \ Hard Explorer.lnk
% UserProfile% \ Start Menu \ Ultimi siti visitati.lnk
11. Download a file from the Internet and save it as follows:
% Windows% \ Downloaded Program Files \ login.exe
12. Create the following file:
% System% \ scansvc \ trust \ mpeg-video03.exe
13. Modify the following entry in the registration database:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVe rsion\Run”mpeg-video03.exe” = “%System%\scansvc\trust\mpeg-video03.exe”
14. Forward itself to addresses in the Outlook Express address book.
Subject of infected leaves:
Indagine Private
Name of the file attached to the infected mail attachment:
mpeg-video00 [one digit] .zip.