Threat Research & Response Blog
Worm:Win32/Visal.B is a new worm, written in Visual Basic, that is currently propagating in part using social-engineering. We strongly encourage customers to be cautious about clicking suspicious or even simply unexpected links in email, even if it’s sent by someone you know. Getting infected by Visal.B is an example of what happens if you aren’t careful.
The threat has a timestamp of 9/3/2010 and spreads using two techniques: mass emailing, and copying itself to local drives (C: and H:) and network shares. The threat will copy itself to various drives on the local system along with an autorun.inf file, and will also send itself to all contacts that it can find on the compromised system via email.
Visal.B uses MAPI to perform a mass mailing to all contacts that it finds on the compromised system. In a corporate environment the “address book” may be extensive. As more machines on a corporate network are infected, more and more email is sent around on the local network, which can cause mail server performance degradation. The threat also sends back information about the compromised system, specifically IP addresses and system information via a built-in SMTP/ESMTP (mail-transfer) engine.
The mass-mailed messages contain a link that looks as though it points to a .pdf document or .wmv video, but in fact it points to a malicious .scr file. The potential spam message has turned up with various wording, as follows:
This is The Free Dowload Sex Movies,you can find it Here.hxxp://malicious-link-omitted/library/SEX21.025542010.wmvEnjoy Your Time.
Subject: Just for you
This is The Document I told you about,you can find it Here.hxxp://malicious-link-omitted/library/PDF_Document21.025542010.pdf
Please check it and reply as soon as possible.
Subject: Here you have
Hello: This is The Document I told you about,you can find it Here.hxxp://malicious-link-omitted/library/PDF_Document21.025542010.pdf Please check it and reply as soon as possible. Cheers,
You can read more about Visal.B in our malware encyclopedia. If you suspect that you’ve been infected with this threat, we suggest that you install an antivirus application from a trusted vendor (like Microsoft Security Essentials) or update your existing software and re-scan your computer. Additional information can be found at: www.microsoft.com/protect. You can also visit the Consumer Security Support Center for further assistance.
We'd like to commend Rodel Finones for his rapid and detailed analysis of this threat.
Tareq Saade & Lena Lin
Note that customers who downloaded beta signatures from the MMPC alternate download location may have detected this threat as Worm:Win32/VB.WF.