Fandom

Malware Wiki

VB.a

1,346pages on
this wiki
Add New Page
Comments0 Share

VB.a is a riskware worm, meaning that the worm locks certain executables from being executed.

Transmission

The worm spreads through MSN messengers. When the user launches the worm, it will drop itself into the C:\ directory under one of the following names.

Drunk_lol.pif
love_me.pif 
naked_party.pif
sexy_bedroom.pif
Webcam_004.pif

It will also drop Backdoor.Win32.rbotfly into the Windows directory.

adaware.exe
lexplore.exe
VB6.EXE
Win32.exe

It will register this .exe into the System Registry to ensure it always starts on system bootup. See Payload for further details.

Payload

The worm will behave similarly to a rogue antivirus, blocking access to both Command Prompt and Task Manager. It will also prevent access to right-click menus, so said executables cannot be renamed.

Spreading Routine

The user will recieve the file in ".pif" format through MSN, under the aliases mentioned in Spreading Routine and Installation

Anti-Virus Aliases

  • SOPHOS: Troj/Banker-ENZ
  • NOD32: Win32/VB.NRX trojan
  • Bit Defender: Application.WebServer.A
  • Avast!: Win32:Trojan-gen
  • Ikarus: not-a-virus:Server-Web.Win32.VB
  • AVIRA: SPR/Tool.WebServer.A
  • NAV: Adware.Gen
  • FSecure: not-a-virus:Server-Web.Win32.VB.a

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.