W32/VBMania: The most Terrifying zero-day exploit in 2010 and McAfee’s frakin awesome free tool to clean your system.

And it’s  F**ing Rad and Free!

Available from McAfee lab’s at: http://vil.nai.com/vil/stinger/

But, What it it?

McAfee Lab’s has a free  utility called Stinger and it’s pretty amazing for being free since it’s using some enterprise level features. It comes with a limited DAT (which is like a small database of known virus), but will also access our enterprise level Artemis Technology scan engine over a internet connection.

The Artemis scan engine runs separately from the general DAT that cheap and free Anti-Virus companies use.

It does a network check of the file MD5 hash and compare it to our huge database of known good and bad files! Hence, will detect variants before they haven even been detected and added to the DAT.

I guess were are slowly moving away from a DAT environment to a real-time network file verification system.

Besides that! Go get it!
Download the free scanner tool from McAfee lab’s at: http://vil.nai.com/vil/stinger/
Below are my recommended settings if you have a malware outbreak
and want MAXIMUM detection and removal.
BE SAFE, USE THE DEFAULT SETTINGS!!

More on W32/VBMania@mm:

https://kc.mcafee.com/corporate/index?page=content&id=KB69857

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=275435
This Virus has been seen in large spam runs with the subject line: “Here you have”.
When executed, the following files are dropped:
%WINDIR%\system\Administrator CV 2010.exe
%WINDIR%\system\updates.exe
%WINDIR%\Administrator CV 2010.exe
%WINDIR%\autorun.inf
%WINDIR%\autorun2.inf
%WINDIR%\csrss.exe
%WINDIR%\vb.vbs
%DIR%\Administrator CV 2010.exe
%WINDIR%\tryme1.exe
%WINDIR%\im.exe
%WINDIR%\csrss.exe
%WINDIR%\vb.vbs
%TEMP%\~DF1DC7.tmp
%WINDIR%\ie.exe
%WINDIR%\rd.exe
%WINDIR%\re.exe
%WINDIR%\system\updates.exe
%WINDIR%\SYSTEM32\SendEmail.dll
%WINDIR%\gc.exe
%WINDIR%\hst.iq
%WINDIR%\ff.exe
%WINDIR%\op.exe
%WINDIR%\pspv.exe
%WINDIR%\re.iq
%WINDIR%\ff.dlm
%APPDATA%\addons.dat
Where %WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)
The following files were temporarily written to disk then later removed:

%WINDIR%\ff.iq
%WINDIR%\ie.iq
%WINDIR%\SendEmail.iq
%WINDIR%\w.iq
%WINDIR%\m.iq
%WINDIR%\gc.iq
%WINDIR%\SYSTEM32\drivers\etc\hosts
%WINDIR%\pspv.iq
%WINDIR%\w.exe
%WINDIR%\tryme.iq
%WINDIR%\im.iq
%WINDIR%\rd.iq
%TEMP%\~DFAFA.tmp
%WINDIR%\m.exe
%WINDIR%\SendEmail.dll
%WINDIR%\b.bat
%WINDIR%\op.iq
The following file was modified:

%WINDIR%\SYSTEM32\wbem\logs\wbemprox.log
The malware has been known to randomly delete certain existing executables and replaces the current host file.
Registry changes are made like the ones below to prevent certain system tools from running. This is a subset of the complete changes :
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adobe Gamma Loader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\angry.bat
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtIaRP.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtS.ExE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu-0607g.xml
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\SETTINGS\

The following registry element was modified:
HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1
The following registry key was added to get past the outlook security message prompt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Outlook\Security\ObjectModelGuard = 0x00000002
Connections to the following resources are attempted:
hxxp://members.multimania.co.uk/yahoophoto/*****
213.131.252.***:80

content