The first variants of Win32/VBDoc worm appeared about half year ago, and this worm has been active since. The description of Win32/VBDoc.H is available on Total Defense Labs Encyclopedia.
Many variants of this worm are known, they are released quite frequently by one or more malware writers. When older variant becomes known and detected by antiviruses, no more attempts to infect with this variant are performed, instead, new variant is released. This scenario is typical for other malware too. Because of that, a reasonable protection could be provided only by proactive detection that is able to detect future variants.
Consider how the malware changed since its first time appearance. All the variants are written using Visual Basic and employ complicated encryption engine that decrypts worm’s code into memory block and executes it. The Visual Basic code is only a decryption engine, because of that it can be very volatile and difficult to distinguish between the worm and normal Visual Basic programs.
Such polymorphic malware always has some week points exploited by antivirus in order to detect it. In turn, the malware authors attempt to avoid such week points.
The Visual Basic executable has certain structure and consists of forms, modules and classes. These objects have names that are used for malware recognition detection, together with other features of the file.
Early variants were released with names and objects count that were randomly generated and then used unchanged for about week or two, while Visual Basic code was different for every new variant, for example:
Class zeevzo having 2 methods named “l” and “g”
This method provided proactive detection for a period of time when the names were not changed.
In later variants, the object names and count were changed more frequently, but some pattern was preserved, like:
Module name consists of 5 to 7 lowercase letters
Class name consists of 6 to 9 lowercase letters
Class has 2 to 4 methods which names are like..
2 to 4 modules
1 to 4 forms
Later the patterns became more variable, so that this method became unusable because it was not able to distinguish between normal and malicious files anymore.
In addition to object names, the malware had other weak points. At infected machine the worm created worm’s copy accompanying user’s folders and documents. The original file gets hidden, a user sees folder instead it and clicks it ; see description in Total Defense Labs Encyclopedia.
Early variants used double extension:
document.doc – clean document
“document.doc . exe” – copy of the worm
This is very suspicious and allows to detect the worm.
Newer variants strip extension and change it to EXE:
document.doc – clean document
document.exe – copy of the worm
Another feature is using icons that simulate documents and folders. A worm has usually a number of icons: icon of Word document, Excel spreadsheet, folder, etc. When infecting an object, proper icon is made visible. This combination of icons is suspicious and helps to identify the worm. In latest variants the worm uses polymorphic icons: the icons are randomly shifted and some pixels are changed, so that the icon looks almost like original one for a human, but is difficult to identify by antivirus.
At the end of the day, the worm becomes stronger and antivirus researchers must create more sophisticated routines in order to detect it.
Leave a reply