Emerging Malware Issue: Visal.B

[JMH]

Worm:Win32/Visal.B is a new worm, written in Visual Basic, that is currently propagating in part using social-engineering. We strongly encourage customers to be cautious about clicking suspicious or even simply unexpected links in email, even if it’s sent by someone you know. Getting infected by Visal.B is an example of what happens if you aren’t careful.


The threat has a timestamp of 9/3/2010 and spreads using two techniques: mass emailing, and copying itself to local drives (C: and H and network shares. The threat will copy itself to various drives on the local system along with an autorun.inf file, and will also send itself to all contacts that it can find on the compromised system via email.


Visal.B uses MAPI to perform a mass mailing to all contacts that it finds on the compromised system. In a corporate environment the “address book” may be extensive. As more machines on a corporate network are infected, more and more email is sent around on the local network, which can cause mail server performance degradation. The threat also sends back information about the compromised system, specifically IP addresses and system information via a built-in SMTP/ESMTP (mail-transfer) engine.

More -
Emerging Malware Issue: Visal.B - Microsoft Malware Protection Center - Site Home - TechNet Blogs

 

[CarlTR6]

Thank you for the heads up.

 

[JMH]

Update on the "Here you have" worm (Visal.B)

We have some updated information for you regarding Worm:Win32/Visal.B, known as the "Here you have" worm (with a SHA1, a unique identifier for the threat, of 0x0BA8387FAAF158379712F453A16596D2D1C9CFDC) that we also blogged about yesterday.

First, let us remind you of the two methods originally used by the worm to spread itself: It mass-emailed a link that pointed to malware, and it copies itself to local drives and network shares. The mass mailer takes advantage not only of local address lists in Outlook address book, but it also gathers Yahoo Messenger contacts by parsing files in the user’s
%root%\Program Files\Yahoo!\Messenger\Profiles directory. Although it’s known for the "Here you have" subject, it can also use two others (“Just for you” and “Hi”). Details on the contents of the message are in our encyclopedia entry for Worm:Win32/Visal.B.

In any case, after the worm was discovered, the URL was rendered unreachable. Therefore, although the malware can still send spam, the malicious links are inactive, preventing the worm from spreading further using the spam vector. Although mailboxes can continue to fill up due to unprotected machines executing the malware, those emails will no longer be able to find any malware at the target URL.

More -
Microsoft Malware Protection Center

 

[Jacee]

A bit more from Sophos W32/Autorun-BHO Win32 worm (Trojan Horse, Trojan.Win32.Swisyn.algm, Worm:Win32/Visal.B, W32/VBMania@MM) - Sophos security analysis