W32/VBNA-X
Posted: November 30, 2012
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 2/10 |
---|---|
Infected PCs: | 56 |
First Seen: | November 30, 2012 |
---|---|
OS(es) Affected: | Windows |
W32/VBNA-X is a worm that uses removable drive-based devices to infiltrate new computers, apparently for the purpose of installing other malware. According to the latest analyzes, SpywareRemove.com malware experts consider banking Trojans from the Zeus family to be the most likely payload from W32/VBNA-X, which uses both social engineering techniques and other methods to enable its own distribution. Although W32/VBNA-X has been in the wild for some time, recent variants of W32/VBNA-X are noted for increased hostility and particularly dangerous payloads that can be used to compromise bank accounts and other information of a highly sensitive nature. As a result, you should use appropriate measures to protect yourself from W32/VBNA-X's infection vectors and remove W32/VBNA-X infections with competent anti-malware products as soon as possible.
What's Not So Sexy About What W32/VBNA-X Does to Your PC
As a Windows-based worm, W32/VBNA-X (also identified as W32.ChangeUp or W32/Autorun.worm.aaeb) creates multiple copies of itself on any removable drive device or network-shared location. Copies of W32/VBNA-X will include EXE files with names such as 'Sexy' along with imitations of any preexisting files and folders on the drive. For example, if you have a file named 'Document.txt,' W32/VBNA-X will set the original TXT file to be Hidden (and change your file-viewing settings to conceal such files) and then create a copy of itself with the same name and icon. Naturally, incautious PC users who click on these files will infect their PCs with W32/VBNA-X.
However, SpywareRemove.com malware researchers also warn that W32/VBNA-X uses automated methods of installing itself via Autorun.inf exploits. The Autorun feature, which allows programs to launch automatically after the hard drive is accessed, has been disabled since a 2011-era patch for most versions of Windows, and W32/VBNA-X can be considered just another good reason to keep that questionable feature disabled. If Windows doesn't have the appropriate patch, W32/VBNA-X will be able to install itself right after you plug in a compromised removable device.
W32/VBNA-X: the Danger that's Hiding in Plain Sight
Because of W32/VBNA-X's aforementioned system changes, you also will be unable to view files that are flagged with the Hidden attribute, and this may be exploited to conceal other files and programs of either a benign or malicious nature. After W32/VBNA-X is installed by the above methods or web-based infection vectors, W32/VBNA-X also makes contact with a Command & Control server, similar to the behavior of a typical backdoor Trojan.
Currently, SpywareRemove.com malware experts have found that recent versions of W32/VBNA-X install Zeus banking Trojans. Zeus Trojans are high-level threats that use highly-sophisticated attacks to steal bank account information while they defend themselves from being detected. Unlike W32/VBNA-X, W32/VBNA-X's Zeus payload doesn't display any obvious symptoms of its attacks. Hence, thorough anti-malware scans should be considered your best bet for detecting or removing either W32/VBNA-X or malware that's related to W32/VBNA-X.
Related PC threats include malicious AutoRun files (such as Mal/SillyFDC-Z, W32/AutoInf-DI, Mal/Autorun-AX or W32/SillyFDC-IP), malicious Registry entries (such as HIPS/RegMod-009) and Trojans that are related to W32/VBNA-X attacks (Mal/SillyFDC-Z, Troj/VB-GFM, Troj/Tepfer-E or W32/SillyFDC-IP).
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:autorun.inf
File name: autorun.infMime Type: unknown/inf
Group: Malware file
Sexy.exe
File name: Sexy.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
Porn.exe
File name: Porn.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
Secret.exe
File name: Secret.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
Passwords.exe
File name: Passwords.exeFile type: Executable File
Mime Type: unknown/exe
Group: Malware file
Registry Modifications
HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate = 1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0HKEY_CURRENT_USER\Software\Microsoft\Command Processor\"AutoRun" = "%UserProfile%\Application Data\[THREAT FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, %SystemDrive%\Documents and Settings\All Users\Application Data\[THREAT FILE NAME].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ShowSuperHidden = 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ NoAutoUpdate = 0x00000001HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\%RANDOM CHARACTERS% %UserProfile%\%RANDOM CHARACTERS% /%RANDOM LETTER%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kyteoqHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM CHARACTERS]
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.