W32/Vanebot-B

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Network shares Chat programs
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	24 August 2006 05:16:53 (GMT)
Last updated	24 August 2006 12:43:13 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Vanebot-B.

More Information

Summary
Action
More Information

W32/Vanebot-B is a worm for the Windows platform.

W32/Vanebot-B spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: SRVSVC (MS06-040), Psyme, PNP (MS05-039) and ASN.1 (MS04-007) and by copying itself to network shares protected by weak passwords.

W32/Vanebot-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

The worm may display the following fake error message:

Can't run on Windows
To run this file you must use an Linux emulator
Error code: (-2394)
Error discription: LLIBKCUF / File has remove his self.

W32/Vanebot-B may download updates, steal information and terminate anti-virus applications.

When first run W32/Vanebot-B copies itself to <System>\javaapplet.exe.

The following registry entries are created to run javaapplet.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
MS Java Applets for Windows NT & XP
javaapplet.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
MS Java Applets for Windows NT & XP
javaapplet.exe

The following registry entry is changed to run javaapplet.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe javaapplet.exe

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

W32/Vanebot-B sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
Start
4

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

Note: disabling autostart for the SharedAccess service deactivates the Microsoft Internet Connection Firewall (ICF).

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Ole
EnableDCOM
N

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,javaapplet.exe

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
lmcompatibilitylevel
1

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous
1

HKCU\Software\Microsoft\Windows
javaapplet
rBot v2 a.k.a. the next generation (working on winXP SP2)

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Vanebot-B

Summary

Action

More Information