VBS.Inker.B@mm

Printer Friendly Page

Discovered: September 13, 2005
Updated: July 09, 2009 12:08:23 AM
Systems Affected: Windows

VBS.Inker.B@mm is a mass-mailing.worm that changes icons, swaps mouse buttons, and lowers computer security settings.

Discovered: September 13, 2005
Updated: July 09, 2009 12:08:23 AM
Systems Affected: Windows

VBS.Inker.B@mm is a mass-mailing.worm that changes icons, swaps mouse buttons, and lowers computer secuirty settings.

Once executed, the worm creates some or all of the following files:
%Windir%\Ipnuker.vbs
%Windir%\IeCrash.html
%Windir%\system32\Iexploit.html
%Windir%\CreateUser.vbs
%ProgramFiles%\Script.ini

The worm creates the following registry entries, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Ipnuker" = "%Windir%\Ipnuker.vbs"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Iexploit" = "%Windir%\system32\Iexploit.html"

The worm then swaps the mouse buttons functions.

The worm modifies the value of the following registry subkey, so that the desktop is no longer displayed: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDesktop" = "1"

The worm creates the following registry entries to change icons:
HKEY_CLASSES_ROOT\vbsfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\exefile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\jpgfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\jpegfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\inifile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\inffile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\batfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\comfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\mpgfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\mp3file\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\bmpfile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\wmafile\"DefaultIcon" = "shell32.dll,2"
HKEY_CLASSES_ROOT\htmlfile\"DefaultIcon" = "shell32.dll,2"

The worm then modifies the values in the following registry subkeys, so that threat runs when certain applications are executed:
HKEY_CLASSES_ROOT\txtfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\Folder\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\Folder\shell\explore\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\exefile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\HTTP\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\htmlfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\https\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\inifile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\inffile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\jpgfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\jpegfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\bmpfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\mp3file\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\mpgfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\mpegfile\shell\open\"command" = "%Windir%\Ipnuker.vbs"
HKEY_CLASSES_ROOT\wmafile\shell\open\"command" = "%Windir%\Ipnuker.vbs"

The worm deletes the following registry subkeys:
HKEY_CLASSES_ROOT\Folder
HKEY_USERS\.DEFAULT\Appevents\EventLabels\DeviceConnect\DispFileName

The worm then makes one of the following registry entry modifications to change the registered owner:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"RegisteredOwner" = "Ipnuker"
HKEY_LOCAL_MACHINE\SOFTWARE\"Ipnuker" = "Vbs.Ipnuker@mm"

The worm modifies the following registry entries to redirect the Microsoft Internet Explorer Home page:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "file: ///C:\[Windows|Winnt]\IeCrash.html"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "file: ///C:\Winnt\IeCrash.html"

The worm then modifies the entries in the following registry subkeys to prevent those processes from running:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"1" = "cmd.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"2" = "wuauclt.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"3" = "sndrec32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"4" = "sndvol32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"5" = "wmplayer.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"6" = "AcroRd32.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"7" = "mspaint.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"8" = "rstrui.exe"
HEKY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\"9" = "AUPDATE.exe"

The worm also modifies the entry in the following registry subkey to prevent the task manager from running:
HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"

The worm then modifies the entries in the following registry subkeys to disable notification of firewall, antivirus and Windows update status through the Windows Security Center:
HKEY_CURRENT_USER\Software\Microsoft\Security Center\"FirewallDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Security Center\"UpdatesDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Security Center\"AntiVirusDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "1"

The worm also modifies the entries in the following registry subkeys to disable Windows Firewall:
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\"EnableFirewall" = "0"
HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\"EnableFirewall" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\"EnableFirewall" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\"EnableFirewall" = "0"

The worm also modifies the entry of the following registry subkey:
HEKY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton Antivirus\Quarantine\"QuarantinePath" = "Windir"

The worm then ends the following processes:
ccApp.exe
PandaAVEngine.exe
zonealarm.exe
navw32.exe
Iexplorer.exe
mspaint.exe
notepad.exe
msnmsgr
wmplayer.exe
NMain.exe
WINWORD.exe
cmd.exe
realplayer.exe
Ypager.exe
AUPDATE.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
GUARD.EXE

The worm pings the local host repeatedly.

The worm deletes the following files:
%Windir%\System32\Calc.exe
%Windir%\Notepad.exe

The worm searches the name of all applications installed on the compromised computer by using a WMI component. It then executes the corresponding uninstaller if the application's name includes the strings 'Script' and 'Block'.

The worm then attempts to spreads via mIRC by looking for the following file:
%Windir%\Mirc.ini

If the file is found, the worm will overwrite the script.ini file with instructions to send the %Windir%\Ipnuker.vbs file to an IRC channel.

The worm attempts to create a registered computer user with a random name if the month is January, March, May, July, September, November.

If the folder C:\Winnt exists, the worm spreads by sending an email to all the contacts in the Microsoft Windows address book using Microsoft Outlook.

The mail has the following characteristics:

Subject :
Hotmail Password Finder Downloads

Message :
The Attached File Is A Hotmail Password Finder
This Is A 100% Free Full Version And Is Easy To Use Just Follow The Instructions.
This Tool Is Illegal So Use It With Caution Please Enjoy.

Attachment :
Ipnuker.vbs

The worm overwrites the hosts file with the following text to prevent access to certain security-related Web sites:
#Vbs.Ipnuker@mm
#Ipnuker 2005

127.0.0.1 www.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.macafee.com
127.0.0.1 macafee.com
127.0.0.1 www.f-secure.com
127.0.0.1 f-secure.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.kaspersky-labs.com
127.0.0.1 www.kaspersky.com
127.0.0.1 kaspersky.com
127.0.0.1 www.trendmicro.com
127.0.0.1 trendmicro.com
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.windowsupdate.microsoft.com
127.0.0.1 www.rohitab.com
127.0.0.1 rohitab.com
127.0.0.1 www.google.com
127.0.0.1 google.com
127.0.0.1 www.msn.com
127.0.0.1 msn.com
127.0.0.1 www.yahoo.com
127.0.0.1 yahoo.com
127.0.0.1 www.astalavista.com
127.0.0.1 astalavista.com
127.0.0.1 www.hotmail.com
127.0.0.1 hotmail.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
127.0.0.1 www.gmail.com
127.0.0.1 gmail.com
127.0.0.1 www.dell.com
127.0.0.1 dell.com
127.0.0.1 www.msdn.com
127.0.0.1 msdn.com
127.0.0.1 www.hi5.com
127.0.0.1 hi5.com

#Ipnuker 2005
#Vbs.Ipnuker@mm

The worm enables the Guest account.

The worm copies itself to the following shared folders of the following file sharing applications:
C:\Program Files\KaZaA\My Shared Folder\Hotmail Password Finder.vbs
C:\Program Files\KaZaA Lite\My Shared Folder\Hotmail Password Finder.vbs
C:\Program Files\Bearshare\Shared\Hotmail Password Finder.vbs
C:\Program Files\Morpheus\My Shared Folder\Hotmail Password Finder.vbs
C:\Program Files\ICQ\Shared Files\Hotmail Password Finder.vbs
C:\Program Files\Grokster\My Grokster\Hotmail Password Finder.vbs