W32/Rungbu-B

Aliases	Virus.Win32.VB.bp WORM_VB.BOE
Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Email attachments Infected files Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	9 October 2006 17:55:22 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

Allow SAV to disinfect all detected files where possible - any files that cannot be disinfected should be deleted.

Rename all disinfected SCR files to have the same filename but a DOC extension. Where this is not possible, there may be a hidden copy of the original DOC file already in the folder, so change the attributes to unhide it.

Restore all registry entries to their defaults, as detailed in the Advanced Description.

More Information

Summary
Action
More Information

W32/Rungbu-B is a mass-mailing worm and prepending virus for the Windows platform.

Messages sent by the worm have the following characteristics:

Subject: one of
"Read my letter for you"
"Love, for Forgiveness :->"

Message text: one of
"this was created from the deep inside my heart."
"I love u please forgive me!..."

Attachment filename:
MsWord.exe

The worm also attempts to send itself using instant messaging applications, if installed.

W32/Rungbu-B infects Microsoft Word DOC files by copying itself to the same filename but with an SCR extension, appending the DOC file to the SCR copy and then deleting the original DOC file. W32/Rungbu-B is a mass-mailing worm and prepending virus for the Windows platform.

Messages sent by the worm have the following characteristics:

Subject: one of
"Read my letter for you"
"Love, for Forgiveness :->"

Message text: one of
"this was created from the deep inside my heart."
"I love u please forgive me!..."

Attachment filename:
MsWord.exe

The worm also attempts to send itself using instant messaging applications, if installed.

W32/Rungbu-B infects Microsoft Word DOC files by copying itself to the same filename but with an SCR extension, appending the DOC file to the SCR copy and then deleting the original DOC file.

W32/Rungbu-B installs itself in the following locations:

<Program Files>\philconst.exe
<Windows folder>\Downloaded Program Files\philconst.exe
<Windows folder>\MsWord.exe
<Windows folder>\setup\dllhost.com
<Windows folder>\setup\dllhost.scr
<Windows folder>\AutoRun.ini
\lsass.exe
<Windows folder>\lsass.exe
<Windows system folder>\dllhost.com

The worm sets the following registry entries in order to be run automatically:

HKCR\AVIFile\shell\open\command
""
"<Windows folder>\setup\dllhost.com" %1

(the default value for this entry is "C:\Program Files\Windows Media Player\wmplayer.exe" /Open "%L")

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
"explorer.exe "lsass.exe.exe"

(the default value for this entry is "Explorer.exe")

HKCR\piffile\shell\open\command
""
"<Windows folder>\setup\dllhost.com %1"

(the default value for this entry is "%1" %*)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
""
\lsass.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WinRun
<Windows folder>\AutoRun.ini

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
""
C:\WINDOWS\System32\dllhost.com

W32/Rungbu-B sets the following registry entries in order to disguise signs of infection and complicate the recovery process.

HKCR\batfile\shell\edit\command
""
""

HKCR\comfile\shell\edit\command
""
""

HKCR\exefile\shell\edit\command
""
""

HKCR\scrfile\shell\edit\command
""
""

HKCR\artfile\shell\edit\command
""
C:\WINDOWS\System32\dllhost.com %1

HKCR\datfile\shell\edit\command
""
C:\WINDOWS\System32\dllhost.com %1

HKCR\batfile\shell\edit\command
""
C:\WINDOWS\System32\dllhost.com %1

(the default value for this entry is %SystemRoot%\System32\NOTEPAD.EXE %1)

HKCR\comfile
""
"File Folder"

(the default value for this entry is MS-DOS Application)

HKCR\comfile\DefaultIcon
""
"%SystemRoot%\System32\shell32.dll,3"

(the default value for this entry is %SystemRoot%\System32\shell32.dll,2)

HKCR\inifile\shell\open\command
""
"%1" %*
(the default value for this entry is %SystemRoot%\System32\NOTEPAD.EXE %1)

HKCR\scrfile
""
"Microsoft Word Document"

(the default value for this entry is "Screen Saver")

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideFileExt
CheckedValue
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoFolderOptions
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoRun
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Run
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The worm also creates entries beneath the following locations:

HKLM\SOFTWARE\Microsoft\Windows\System\DarkAngel\

HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\MSCrusher\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Rungbu-B

Summary

Action

More Information