Virus Detail

Win32/Veebuu.BD

Date Published:
21 Oct 2009

Last Updated:
21 Oct 2009

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Medium

Pervasiveness: Low

Characteristics

Type : Worm

Category : Win32

Also known as: WORM_JER.A (Trend), W32.SillyDC (Symantec), W32/VB-DOC (Sophos), W32/Virut.n (McAfee), Virus.Win32.Virut.ce (Kaspersky), Virus:Win32/Virut.BM (MS OneCare)

Immediate Protection Info

Signature	Product	Removal Instructions
35.1.7039	CA Antivirus 2007	View
35.1.7039	eTrust Antivirus v7/8*	View
7.x/7039	eTrust EZ Antivirus 7.x	View
35.1.7039	Vet 7	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Method of Distribution

Payload

Description

Win32/Veebuu.BD is a worm that propagates through mapped network drives and removable drives.

Method of Infection

When executed, Win32/Veebuu.BD drops a copy of itself to the following location:

c:\windows\SYSTEMIL.EXE

It drops a copy of itself to the Root Directory, using any of the following filenames:

Documents.exe
Pictures.exe
Photos.exe
Games.exe

Win32/Veebuu.BD also drops a copy of itself to the default Startup directory. If the operating system is WinXP or Windows Vista, the worm copies itself to the following locations.

C:\Documents and Settings\{User}\Start Menu\Programs\Startup\SYSTEMIL1.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SYSTEMIL2.EXE

If the operating system is Windows 9x, Windows 98 or Windows Me, the worm copies itself to the following locations:

C:\windows\Start Menu\Programs\Startup\SYSTEMIL1.EXE
C:\windows\All Users\Start Menu\Programs\Startup\SYSTEMIL2.EXE

It then creates the following registry entry to execute itself on every startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemIL = "c:\windows\SYSTEMIL.EXE"

Method of Distribution

Via Removable and Shared Drives

Win32/Veebuu.BD drops a copy of itself, using any of the following filenames, to any mapped or removable drives:

\Documents.exe
\Pictures.exe
\Photos.exe
\Games.exe

Payload

Displays Message

If the worm is executed when the system date is May 12, it will display the following image:

Terminates Processes

If any window title contains one of the following strings, Win32/Veebuu.BD terminates the process:

Close Program
Date and Time Properties
Registry Editor
Safely Remove Hardware
System Configuration Utility
Windows Task Manager

Modifies registry entries

The worm modifies various registry entries to hinder the user. Listed below are brief descriptions of the effect of the change, followed by the relevant registry key and its new value.

To disable Task Manager and Registry Editor:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
DisableTaskMgr = dword:00000001
DisableRegistryTools = dword:00000001

To disable the Folder Options menu in Windows Explorer:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NofolderOptions = 1

To disable the Balloon Tips for folder and Tool Tip Displays:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
FolderContentsInfoTip = dword:00000000
ShowInfoTip = dword:00000000

To disable Display of folder size:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\FolderSizeTip
CheckedValue = dword:00000000
DefaultValue = dword:00000000

To hide file extensions:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = dword:00000001

To hide Conrol Panel, My Computer, My Documents, My Music, My Pictures and Network Connections from Windows enhanced Start Menu:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Start_ShowControlPanel
Start_ShowMyComputer
Start_ShowMyDocs
Start_ShowMyMusic
Start_ShowMyPics
Start_ShowNetConn

To restore folder windows at startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
PersistBrowsers =dword:00000001