McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Vybab@MM

This page shows details and results of our analysis on the malware W32/Vybab@MM

Threat Detail

Malware Type: Virus

Malware Sub-type: N/A

Discovery Date: 2003-09-21

Next Steps:

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4295 (2003-09-24)

Updated DAT

4295 (2003-09-24)

 Minimum Engine

5.1.00

File Length

141,824 bytes

 Description Added

2003-09-22

Description Modified

2003-09-22

Malware Proliferation

Characteristics

This detection is for a prepending virus that drops a Visual Basic Script file to mail itself to recipients listed in the Outlook address book.

Proactive Detection: The VBS script that is dropped in order to mail the virus is detected as VBS/Generic@MM , and has been since the 4141 DATs.

Parasitic Infection

This virus prepends .EXE files on the victim machine (in the Program Files directory, and on D:, E:, F: and G:). Infected files will increase in size by 141,824 bytes.

Note: Some of the garbage files it drops  - see below - (those with .EXE extension) are also "infected"! These will be detected and cleaned to just the originally dropped garbage.

Mass-Mailing

The virus drops a VBS script into the user temporary folder in order to mail itself to recipients in the Outlook Address Book. For example:

C:\DOCUMENTS AND SETTINGS\USERNAME\LOCAL
SETTINGS\TEMP\ECHO.VBS

Outgoing messages are constructed as follows:

Subject: Microsoft Pack2, ;0)
Attachment: (name of originally executed file)
Body:
Hi
This is Microsoft client server center
Check This!

Miscellaneous

The virus drops the file 123.TXT into %WinDir%. This file contains the following string:

babyv ; made of Ran

The virus also drops a copy of the originally executed file as C:\SEEYOU.RAR .

Other randomly named files are created with the following extensions:

  • EXE
  • BAT
  • HTM
  • RAR
  • DOC
  • XLS

The files merely contain a single string - their own filepath. As noted above, the virus may "infect" such garbage files (those with EXE extension)!

Symptoms

  • Infected EXEs increase in size by 141,824 bytes
  • Existence of the 123.TXT and garbage files described above

Method of Infection

This virus prepends other EXEs with itself. It also drops a VBS to mail itself to recipients extracted from the Outlook Address Book.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

United States - English