W32/VBNA-X

Posted: November 30, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	56

First Seen:	November 30, 2012
OS(es) Affected:	Windows

W32/VBNA-X is a worm that uses removable drive-based devices to infiltrate new computers, apparently for the purpose of installing other malware. According to the latest analyzes, SpywareRemove.com malware experts consider banking Trojans from the Zeus family to be the most likely payload from W32/VBNA-X, which uses both social engineering techniques and other methods to enable its own distribution. Although W32/VBNA-X has been in the wild for some time, recent variants of W32/VBNA-X are noted for increased hostility and particularly dangerous payloads that can be used to compromise bank accounts and other information of a highly sensitive nature. As a result, you should use appropriate measures to protect yourself from W32/VBNA-X's infection vectors and remove W32/VBNA-X infections with competent anti-malware products as soon as possible.

What's Not So Sexy About What W32/VBNA-X Does to Your PC

As a Windows-based worm, W32/VBNA-X (also identified as W32.ChangeUp or W32/Autorun.worm.aaeb) creates multiple copies of itself on any removable drive device or network-shared location. Copies of W32/VBNA-X will include EXE files with names such as 'Sexy' along with imitations of any preexisting files and folders on the drive. For example, if you have a file named 'Document.txt,' W32/VBNA-X will set the original TXT file to be Hidden (and change your file-viewing settings to conceal such files) and then create a copy of itself with the same name and icon. Naturally, incautious PC users who click on these files will infect their PCs with W32/VBNA-X.

However, SpywareRemove.com malware researchers also warn that W32/VBNA-X uses automated methods of installing itself via Autorun.inf exploits. The Autorun feature, which allows programs to launch automatically after the hard drive is accessed, has been disabled since a 2011-era patch for most versions of Windows, and W32/VBNA-X can be considered just another good reason to keep that questionable feature disabled. If Windows doesn't have the appropriate patch, W32/VBNA-X will be able to install itself right after you plug in a compromised removable device.

W32/VBNA-X: the Danger that's Hiding in Plain Sight

Because of W32/VBNA-X's aforementioned system changes, you also will be unable to view files that are flagged with the Hidden attribute, and this may be exploited to conceal other files and programs of either a benign or malicious nature. After W32/VBNA-X is installed by the above methods or web-based infection vectors, W32/VBNA-X also makes contact with a Command & Control server, similar to the behavior of a typical backdoor Trojan.

Currently, SpywareRemove.com malware experts have found that recent versions of W32/VBNA-X install Zeus banking Trojans. Zeus Trojans are high-level threats that use highly-sophisticated attacks to steal bank account information while they defend themselves from being detected. Unlike W32/VBNA-X, W32/VBNA-X's Zeus payload doesn't display any obvious symptoms of its attacks. Hence, thorough anti-malware scans should be considered your best bet for detecting or removing either W32/VBNA-X or malware that's related to W32/VBNA-X.

Related PC threats include malicious AutoRun files (such as Mal/SillyFDC-Z, W32/AutoInf-DI, Mal/Autorun-AX or W32/SillyFDC-IP), malicious Registry entries (such as HIPS/RegMod-009) and Trojans that are related to W32/VBNA-X attacks (Mal/SillyFDC-Z, Troj/VB-GFM, Troj/Tepfer-E or W32/SillyFDC-IP).

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

autorun.inf

File name: autorun.inf
Mime Type: unknown/inf
Group: Malware file

Sexy.exe

File name: Sexy.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Porn.exe

File name: Porn.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Secret.exe

File name: Secret.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Passwords.exe

File name: Passwords.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate = 1HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0HKEY_CURRENT_USER\Software\Microsoft\Command Processor\"AutoRun" = "%UserProfile%\Application Data\[THREAT FILE NAME].exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe, %SystemDrive%\Documents and Settings\All Users\Application Data\[THREAT FILE NAME].exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ ShowSuperHidden = 0x00000000HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\ NoAutoUpdate = 0x00000001HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\%RANDOM CHARACTERS% %UserProfile%\%RANDOM CHARACTERS% /%RANDOM LETTER%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\kyteoqHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\[RANDOM CHARACTERS]