It has been another month and we have found some more families that need some special attention that the Malicious Software Removal Tool (MSRT) is ideal to give.

This month we are focused on cleaning up the Win32/Babonock, Win32/Redyms, and Win32/Vesenlosow families due to their recent increase in prevalence.

Lately I have been working with the Vesenlosow family. These are worms written in Visual Basic that were first seen at the end of 2010, yet are still managing to trouble people today.

Interestingly enough is the way the worm manipulates the startup folder to run itself when Windows does. Vesenlosow puts a link to itself in the “%programs%\startup folder” and then sets this folder to “hidden.” It creates another, visible folder called “%programs%\startups” and, via some system changing, uses a desktop.ini file to change the visible name to “%programs%\startup” and thus the user may not notice its presence.

The following picture shows you what this looks like in Windows File Explorer:

Screenshot showing hidden and visible Startup folders

…and this picture shows you what the real name of the folders are:

Image showing real names of hidden and visible Startup folders

Or, in some cases there may just be a run key added:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AbPlayer

The family tries to steal lots of information from the victim, such as their:

  • User name
  • Machine name
  • Machine GUID
  • IP address
  • The names of running processes
  • Contents of the clipboard
  • Key strokes
  • Typed URLs for HTTP, HTTPS and FTP

It sends this information back to its writer, either to a free cloud storage site (via FTP), or to a free email site (via email), depending on the variant.

It’s easy to recognize. On the user’s machine Vesenlosow calls itself “msmm.exe.” Depending on the variant of the worm, it will masquerade as different programs for distribution. We have seen “Suduko solver,” “UltraSurf,” and “Freegate tool”. Each version is easy to determine because they are in different hidden folders with different icons:

  • %userprofile%\Wins7
     
    Vesenlosow using a music CD icon, which is the icon used by Suduko solver
     
  • %userprofile%\Wins8
     
    Vesenlosow using an icon of a sailboat, which is the icon used by UltraSurf
     
  • %userprofile%\Wins9
     
    Vesenlosow using an icon of a dove, which is the icon used by the Freegate tool

After it is running on the user’s machine, the worm spreads via removable drives. If the user has any removable drives other than the “A” drive, Vesenlosow will copy itself to the root of that drive as a hidden file with the name “New.exe.”

For more details about this family, please see the Microsoft Malware Protection Center (MMPC) Encyclopedia’s description for the Win32/Vesenlosow family.

-Michael Johnson
MMPC Melbourne