VirTool.Win32.VB.bh

Technical Details

This worm spreads via P2P networks as a PE file.

The worm itself is a Windows PE EXE file, 32KB in size and is written in Visual Basic.

Installation

When launched, the worm copies itself to the C:\Windows\System32\ directory under its current name and hides the file in the Windows system directory.

The worm then registers this file in the system registry, to ensure that the file is launched each time Windows is started:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
    Windows = <file name>

Propagation

The worm copies itself to the following directories:

C:\My Shared Folder\
C:\Windows\My Shared Folder\
C:\Windows\Share\
C:\My Downloads\C:\Windows\My Downloads\

DoS attacks

When launched, the worm conducts DoS attacks on the following sites:

www.microsoft.com
www.aol.com
www.yahoo.com
www.google.com

by sending packets of maximum size (64 bytes) using the ping utility.

It will only do this between 0000 and 1800 and from 1900 to 2400.

Presence in the system

If the worm is launched between 1800 and 1900 according to the local system clock, it will create a directory named Shared in the C:\ root directory, and will copy itself to this directory.