W32/VB-DZJ

Aliases	TR/VB.FK W32.SillyWNSE
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	24 April 2008 01:55:53 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/VB-DZJ attempts to spread by copying itself to available network drives.

When first run W32/VB-DZJ copies itself to <System>\WinSevices.exe and creates the folder <Current Folder>\WinSevic.

Folder WinSevic contains several text files ending with the extension "pdf" e.g. "Spiderman 2.pdf", "Java Telephony.pdf". These files all contain the message:

"Please use this Link:<url> to search From Google.com".

The folder WinSevic and all the files inside the folder can be safely deleted.

The following registry entries are created to run WinSevices.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
regManager
<System>\WinSevices.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
regManager
<System>\WinSevices.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/VB-DZJ

Summary

Action

More Information