Systweak Spyware Library
Systweak Spyware Library text
More than 1309737 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Worm-IM.vb.bl Analysis Report
Threat Submitted On: 3/5/2008 3:38:49 PM
Threat Analysed On: 3/5/2008 8:38:49 PM
Threat Updated On: 11/15/2009 5:09:36 AM
Type : Worm-IM
Symptoms of vb.bl
  • Spreads through Instant Messaging.
  • Sends itself to the Contact lists of the IM.
  • The users can sometimes be duped to accept the message due to the social engineering techniques adopted by the worm.
Information
Alias : im-worm.win32.vb.bl
Md5 Hash : [0b696f9bab37ee4bcd05d493449e8157]
File Size : (25600 bytes)

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: msxrs.exe
Path : %windir%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
05a4ec4352a9116292e4e366c5cc878d ( 25088 bytes)
0b696f9bab37ee4bcd05d493449e8157 ( 25600 bytes)
85170994b7a5f8477aaa2bd03cf9dcad ( 26624 bytes)
8bf848c47096393a5384f41927817a45 ( 16376 bytes)
979eba66722be1b472e5b51559a19c79 ( 26624 bytes)
9989d119878df81e874f25ffd97a48a3 ( 25602 bytes)
abd01f2d559edd4d2418cd3c45c5b396 ( 25600 bytes)
c128c192d9ba1742fdae226be1c61593 ( 25600 bytes)
f03a45e6cd1100f10961adea8bec9ea7 ( 16888 bytes)
File: [randomname].exe
Path : %workingdir%
Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
05a4ec4352a9116292e4e366c5cc878d ( 25088 bytes)
0b696f9bab37ee4bcd05d493449e8157 ( 25600 bytes)
85170994b7a5f8477aaa2bd03cf9dcad ( 26624 bytes)
8bf848c47096393a5384f41927817a45 ( 16376 bytes)
979eba66722be1b472e5b51559a19c79 ( 26624 bytes)
9989d119878df81e874f25ffd97a48a3 ( 25602 bytes)
abd01f2d559edd4d2418cd3c45c5b396 ( 25600 bytes)
c128c192d9ba1742fdae226be1c61593 ( 25600 bytes)
f03a45e6cd1100f10961adea8bec9ea7 ( 16888 bytes)
Also creates the following files on user's System which are also created by Genuine Software :-
Note:
These file(s) can be kept as they are also created by genuine Software.
File : [RandomName].exe
Path : %workingdir%
Md5Hash :0b696f9bab37ee4bcd05d493449e8157 ( 25600 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
identity ordinal = "[reg_dword, value: 00000001]"
|__ Value Added :
ldap timeout = "[reg_dword, value: 0000003c]"
|__ Value Added :
javascriptmsxrs = "%windir%\msxrs.exe"
Also creates the following legitmate Registries on user's Systems which are also created by Genuine Software :-
Note:
These Keys can be kept as they are also created by genuine Software
The following Registry Values are added to the provided Registry Keys which are also created by Genuine Software :-
Note:
These Values can be left as they are also created by legitimate Software :-
|__ Value Added :
identity ordinal
|__ Value Added :
default ldap account
Creates the Following MUTEX(s) on user's System:-
uxa8paya
msident logon

NOTE:

1. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.

Microsoft Gold Certified Partner

© Systweak Inc., 1999-2009 All rights reserved.