For Home

Virus Profile: W32/VBMania@MM

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 9/9/2010
Date Added: 9/9/2010
Origin: N/A
Length: Varies
Type: Virus
Subtype: Worm
DAT Required: 6101
Removal Instructions
   
 
 
   

Description

-- Update October 14, 2010 --

The risk assessment of this threat has been updated to Low

--

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

  • Presence of aforementioned files or registry modificaitons.
  • Presence of unexpected network connections.
  • Termination of Processes/Services belonging to various Anti-Malware/Security programs

Methods of Infection

This malware is received as part of spam email. When executed, it will enumerate addresses in an infected hosts contact list and sends itself via email. This malware also has capabilities to spread via autorun and can spread to network shares or removable drives.

   

Virus Characteristics

---Updated : October 26, 2010 ---

File Information:

  • MD5 : 2BDE56D8FB2DF4438192FB46CD0CC9C9
  • SHA : 0BA8387FAAF158379712F453A16596D2D1C9CFDC

Aliases:
  • Kaspersky : Email-Worm.Win32.VBMania.a
  • Microsoft: Worm:Win32/Visal.B
  • Avira: Worm/Swisyn.algm

Characteristics

"W32/VBMania@MM" is a worm written in VB, which may propagate via removable drives or network shares. or Email. This binary comes in PDF icon with an .exe extension. Also it is designed to download the malicious files from the site "memb[removed]ltimania.co.uk" using remote port 80.

The worm copies itself into the following locations:
  • %WINDIR%\system\Administrator CV 2010.exe
  • %WINDIR%\system\updates.exe
  • %WINDIR%\Administrator CV 2010.exe
  • %WINDIR%\csrss.exe
  • %SYSTEMDRIVE%\Administrator CV 2010.exe
  • %SYSTEMDRIVE%\open.exe
  • %Removable Drive%\ open.exe

The following files have been added to the system:
  • %WINDIR%\system32\wbem\Logs\FrameWork.lo_
  • %SYSTEMDRIVE%\SendEmail.dll
  • %WINDIR%\autorun.inf
  • %WINDIR%\autorun2.inf
  • %WINDIR%\ff.exe
  • %WINDIR%\gc.exe
  • %WINDIR%\hst.iq
  • %WINDIR%\ie.exe
  • %WINDIR%\im.exe
  • %WINDIR%\op.exe
  • %WINDIR%\pspv.exe
  • %WINDIR%\rd.exe
  • %WINDIR%\re.exe
  • %WINDIR%\re.iq
  • %WINDIR%\tryme1.exe
  • %WINDIR%\vb.vbs
  • %SYSTEMDRIVE%\autorun.inf
  • %Removable Drive%\autorun.inf

The file "autorun.inf" is pointing to the malware binary executable. When the removable or network drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The following file has been modified into the system:

%WINDIR%\system32\drivers\etc\hosts

The following registry value has been modified into the system:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe %WINDIR%\csrss.exe"

The above mentioned registry confirms that the worm executes on every system boot.

The following registry values have been added to the system:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\Shares\updates
'CSCFlags = 0
MaxUses = 100
Path =  %WINDIR%\system
Permissions = 0
Remark = Public share for update.
Type = 0'

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<PROCESS name><PROCESS name>\

Debugger="%WINDIR%\csrss.exe"

Where "process name" may be any one of the following

  • 00hoeav.com
  • 0w.com
  • 360rpt.ExE
  • 360safe.ExE
  • 360safebox.ExE
  • 360tray.ExE
  • 6.bat
  • 6fnlpetp.exe
  • 6x8be16.cmd
  • a2cmd.ExE
  • a2free.ExE
  • a2service.ExE
  • a2upd.ExE
  • abk.bat
  • adobe Gamma Loader.exe
  • algsrvs.exe
  • algssl.exe
  • angry.bat
  • anti-trojan.exe
  • aNtIaRP.ExE
  • antihost.exe
  • aNtS.ExE
  • apu-0607g.xml
  • apu.stt
  • aPVxdWIN.ExE
  • arSwp.ExE
  • ashdisp.exe
  • ashEnhcd.exe
  • ashLogV.exe
  • ashMaiSv.exe
  • ashPopWz.exe
  • ashQuick.exe
  • ashServ.exe
  • ashSkPcc.exe
  • ashUpd.exe
  • ashWebSv.exe
  • ast.ExE
  • aswBoot.exe
  • aswRegSvr.exe
  • aswUpdSv.exe
  • autorun.bin
  • autoRun.ExE
  • autorun.ini
  • autorun.reg
  • autorun.txt
  • autorun.wsh
  • autoRunKiller.ExE
  • autoruns.exe
  • autorunsc.exe
  • avadmin.exe
  • avastSS.exe
  • avcenter.exe
  • avciman.exe
  • avconfig.exe
  • aVCONSOL.ExE
  • aVENGINE.ExE
  • avgamsvr.exe
  • avgas.exe
  • avgcc.exe
  • avgcc32.exe
  • avgemc.exe
  • avginet.exe
  • avgnt.exe
  • avgrssvc.exe
  • avgrsx.exe
  • avgscan.exe
  • avgscanx.exe
  • avgserv.exe
  • avguard.exe
  • avgupsvc.exe
  • avgw.exe
  • avgwdsvc.exe
  • avltd.exe
  • avmailc.exe
  • avMonitor.ExE
  • avnotify.exe
  • avp.com
  • avp.exe
  • aVP32.ExE
  • aVPCC.ExE
  • aVPM.ExE
  • avscan.exe
  • avzkrnl.dll
  • bad1.exe
  • bad2.exe
  • bad3.exe
  • bdagent.exe
  • bdsubwiz.exe
  • BdSurvey.exe
  • BIOSREad.exe
  • blackd.exe
  • blackice.exe
  • caiss.exe
  • caissdt.exe
  • catcache.dat
  • cauninst.exe
  • Cavapp.ExE
  • cavasm.ExE
  • CavaUd.ExE
  • CaVCmd.exe
  • CaVCtx.exe
  • CavEmSrv.ExE
  • Cavmr.ExE
  • CavMUd.ExE
  • Cavoar.ExE
  • CavQ.ExE
  • CaVRep.exe
  • CaVRid.exe
  • CaVSCons.ExE
  • cavse.ExE
  • CavSn.ExE
  • CavSub.ExE
  • CaVSubmit.ExE
  • CavUMaS.ExE
  • CavUserUpd.ExE
  • Cavvl.ExE
  • CCenter.ExE
  • CEmRep.ExE
  • ckahcomm.dll
  • ckahrule.dll
  • ckahum.dll
  • cleaner.exe
  • cleaner3.exe
  • clldr.dll
  • CMain.ExE
  • copy.exe
  • curidsbase.kdz
  • destrukto.vbs
  • dF5Serv.exe
  • diffs.dll
  • drvins32.exe
  • drwadins.exe
  • drweb32w.exe
  • drweb386.exe
  • drwebscd.exe
  • drwebupw.exe
  • drwebwcl.exe
  • drwreg.exe
  • e.cmd
  • e9ehn1m8.com
  • edb.chk
  • egui.exe
  • ekrn.exe
  • EMdISK.exe
  • f0.cmd
  • FileKan.exe
  • flashy.exe
  • FPaVServer.exe
  • FProttray.exe
  • fpscan.exe
  • fptrayproc.exe
  • FPWin.exe
  • FrameworkService.exe
  • Frameworkservice.ExE
  • FRW.ExE
  • FrzState2k.exe
  • fs6519.dll.vbs
  • fssf.exe
  • fssync.dll
  • fun.xls.exe
  • g2pfnid.com
  • GetSI.dll
  • GFUpd.ExE
  • guard.exe
  • GuardField.ExE
  • guardgui.exe
  • guardxkickoff.exe
  • guardxkickoff_x64.exe
  • guardxservice.exe
  • guardxup.exe
  • h3.bat
  • Hijackthis.ExE
  • hookinst.exe
  • host.exe
  • i.bat
  • iamapp.exe
  • iamserv.exe
  • IceSword.ExE
  • ICLOad95.ExE
  • ICLOadNt.ExE
  • ICMON.ExE
  • ICSUPP95.ExE
  • ICSUPPNt.ExE
  • Identity.exe
  • iefqwp.cmd
  • IEShow.exe
  • IFaCE.ExE
  • ij.bat
  • InstallCaVS.ExE
  • InstLsp.ExE
  • Iparmor.ExE
  • iSafe.exe
  • iSafInst.exe
  • KaSaRP.ExE
  • kav.bav
  • kav32.ExE
  • kavbase.kdl
  • KaVPFW.ExE
  • kavstart.ExE
  • ker.vbs
  • KeyMgr.exe
  • killVBS.vbs
  • kissvc.ExE
  • kl1.sys
  • klavemu.kdl
  • klbg.cat
  • klbg.sys
  • klif.cat
  • klif.sys
  • klim5.sys
  • kmailmon.ExE
  • KPfwSvc.ExE
  • KRegEx.ExE
  • KVSrvxP.ExE
  • KVWSC.ExE
  • kwatch.ExE
  • licmgr.ex
  • licreg.exe
  • lky.exe
  • lockdown2000.exe
  • m2nl.bat
  • mbam.exe
  • mcagent.exe
  • mcappins.exe
  • mcaupdate.exe
  • mcdash.exe
  • Mcdetect.exe
  • mcinfo.exe
  • mcinsupd.exe
  • mcmnhdlr.exe
  • mcregwiz.exe
  • McShield.exe
  • Mctray.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • McVSEscn.exe
  • mcvsftsn.exe
  • mcvsmap.exe
  • mghtml.exe
  • Mmsk.ExE
  • MooLive.exe
  • msdos.pif
  • msfir80.exe
  • MSGrc32.vbs
  • msime80.exe
  • msizap.exe
  • msmsgs.exe
  • msvcm80.dll
  • msvcp80.dll
  • msvcr71.dll
  • msvcr80.dll
  • mzvkbd.dll
  • mzvkbd3.dll
  • naiavfin.exe
  • naPrdMgr.exe
  • Navapsvc.ExE
  • NaVaPW32.ExE
  • NaVW32.ExE
  • netcfg.dll
  • new folder.exe
  • njibyekk.com
  • nod32.exe
  • nod32krn.exe
  • nod32kui.exe
  • oasclnt.exe
  • olb1iimw.bat
  • OnaccessInstaller.ExE
  • Pagent.exe
  • Pagentwd.exe
  • PavFnSvr.exe
  • pavprsrv.exe
  • PavReport.exe
  • pavsched.exe
  • PaVSRV51.ExE
  • pavtest.exe
  • pctsauxs.exe
  • pctsSvc.exe
  • pctstray.exe
  • PFW.ExE
  • preupd.exe
  • prloader.dll
  • procexp.exe
  • psctrlc.exe
  • PsCtrlS.exe
  • PSHost.exe
  • PsImSvc.exe
  • pskmssvc.exe
  • QQdoctor.ExE
  • QtnMaint.exe
  • RaV.ExE
  • ravmon.exe
  • Ravservice.ExE
  • RavStub.ExE
  • RaVtRaY.ExE
  • rcukd.cmd
  • reload.exe
  • rescue32.exe
  • rescuecd.zip
  • rfwmain.ExE
  • rfwProxy.ExE
  • rfwsrv.ExE
  • Rfwstub.ExE
  • rose.exe
  • RStray.ExE
  • Runiep.ExE
  • safeboxtray.ExE
  • sal.xls.exe
  • sched.exe
  • SCVHOSt.exe
  • scvhosts.exe
  • SCVHSOt.exe
  • SCVVHOSt.exe
  • scvvhosts.exe
  • SCVVHSOt.exe
  • seccenter.exe
  • SendLogs.exe
  • session.exe
  • shstat.exe
  • Socksa.ex
  • SOLOCFG.exe
  • SOLOLItE.exe
  • SOLOSCaN.exe
  • SOLOSENt.exe
  • Sphinx.exe
  • spidercpl.exe
  • spiderml.exe
  • spidernt.exe
  • spiderui.exe
  • spml_set.exe
  • Spybotsd.exe
  • SREngLdr.ExE
  • ssvichosst.exe
  • sxs.exe
  • system.exe
  • tca.exe
  • temp.exe
  • temp2.exe
  • toy.exe
  • tPSrv.exe
  • trojandetector.ExE
  • trojanwall.ExE
  • trojdie.KxP
  • UdaterUI.exe
  • uiscan.exe
  • unp_test.ExE
  • update.exe
  • updater.dll
  • UPSdbMaker.ExE
  • userdump.exe
  • UUpd.ExE
  • v.exe
  • Vba32act.exe
  • Vba32arkit.exe
  • Vba32ECM.exe
  • Vba32ifs.exe
  • vba32ldr.exe
  • Vba32PP3.exe
  • Vba32Qtn.exe
  • vbcmserv.exe
  • vbcons.exe
  • vbglobal.exe
  • vbimport.exe
  • vbinst.exe
  • vbscan.exe
  • vbsystry.exe
  • VetMsg.exe
  • virusutilities.exe
  • Visthaux.exe
  • VPC32.ExE
  • VPtRaY.ExE
  • VSECOMR.ExE
  • VSHWIN32.ExE
  • vsmon.exe
  • vsserv.exe
  • VSStat.ExE
  • VstskMgr.exe
  • WEBPROxY.ExE
  • WEBSCaNx.ExE
  • whi.com
  • WinGrc32.dll
  • WOPtILItIES.ExE
  • Wradmin.exe
  • WrCtrl.exe
  • wscntfy.exe
  • wsctool.exe
  • yannh.cmd
  • ybj8df.exe
  • zonealarm.exe
  • _aVP32.ExE
  • _aVPCC.ExE
  • _aVPM.ExE

Thus, the Worm gets executed every time the above mentioned files are opened.

The following registry values have been added to the system:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
    EnableLUA="0"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
    PromptOnSecureDesktop="0"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
    EnableVirtualization="0"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Outlook\Security\]
    ObjectModelGuard="2"

The above mentioned registries confirm that the Worm disables the windows and outlook security settings.

  • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\]
    EnableFirewall="0"

The above mentioned registry confirms that the Worm disable the default Windows Firewall on the infected machine.

Propagation via Network share:

The worm drops the .vbs file (VBScript file) into the following location

%WINDIR%\vb.vbs

And then the VBScript file spreads the malicious file "N73.Image12.03.2009.JPG.scr" over network shares. This worm searches all drives that are connected to the host system, if it finds any system in the network which is accessible, then it looks for the drives [C:D:E: F: G: H: ] and copies the above mentioned file on it.

It also attempts to copy the file "N73.Image12.03.2009.JPG.scr"into the following shared folders.

  • Music,
  • New Folder,
  • Print

Propagation via Email:

The worm attempts to harvest email addresses from the local system and send the copies of itself to all the address lists in the user's Outlook Address Book.

The subject and body of the mail contains the following details.

Example: 1

Subject:

Here you have


Email Body:

Hello:

This is The Document I told you about,you can find it Here.

http://www.share[removed].com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Example: 2

Subject:

Just for you

Email Body:

Hello:

This is The Free Dowload Sex Movies,you can find it Here.

http://www.share[removed]om/library/SEX21.025542010.wmv

Enjoy Your Time.

Cheers,

The above mentioned links directs the user to download the copy of the worm.

Also, the worm terminates the following services:
  • Avast! Antivirus
  • aswUpdSv
  • avast! Mail Scanner
  • avast! Web Scanner
  • AntiVirService
  • AntiVirMailGuard
  • AntiVirSchedulerService
  • McShield
  • AntiVirFirewallService
  • NIS
  • MSK80Service
  • 0053591272669638mcinstcleanup
  • mfefire
  • McNASvc
  • Mc0obeSv
  • McMPFSvc
  • McProxy
  • Mc0DS
  • mcmscsvc
  • McAfee SiteAdvisor Service
  • mfevtp
  • Avgfws9
  • AVG Security Toolbar Service
  • avg9wd
  • AVGIDSAgent
  • PAVFNSVR
  • Gwmsrv
  • PSHost
  • PSIMSVC
  • PAVSRV
  • PavPrSrv
  • PskSvcRetail
  • Panda Software Controller
  • TPSrv
  • SfCtlCom
  • prlo
  • TmProxy
  • TMBMServer
  • Arrakis3
  • LIVESRV
  • scan
  • VSSERV
  • sdAuxService
  • sdCoreService
  • AVP

[Where %WinDir% is the Windows Directory - for example c:\windows]

                         --------------------------

 

This Virus has been seen in large spam runs with the subject line: "Here you have".

When executed, the following files are dropped:

  • %WINDIR%\system\Administrator CV 2010.exe
  • %WINDIR%\system\updates.exe
  • %WINDIR%\Administrator CV 2010.exe
  • %WINDIR%\autorun.inf
  • %WINDIR%\autorun2.inf
  • %WINDIR%\csrss.exe
  • %WINDIR%\vb.vbs
  • %DIR%\Administrator CV 2010.exe
  • %WINDIR%\tryme1.exe
  • %WINDIR%\im.exe
  • %WINDIR%\csrss.exe
  • %WINDIR%\vb.vbs
  • %TEMP%\~DF1DC7.tmp
  • %WINDIR%\ie.exe
  • %WINDIR%\rd.exe
  • %WINDIR%\re.exe
  • %WINDIR%\system\updates.exe
  • %WINDIR%\SYSTEM32\SendEmail.dll
  • %WINDIR%\gc.exe
  • %WINDIR%\hst.iq
  • %WINDIR%\ff.exe
  • %WINDIR%\op.exe
  • %WINDIR%\pspv.exe
  • %WINDIR%\re.iq
  • %WINDIR%\ff.dlm
  • %APPDATA%\addons.dat

Where %WINDIR% = \WINDOWS (Windows 9x/ME/XP/Vista/7), \WINNT (Windows NT/2000)

The following files were temporarily written to disk then later removed:
 

  • %WINDIR%\ff.iq
  • %WINDIR%\ie.iq
  • %WINDIR%\SendEmail.iq
  • %WINDIR%\w.iq
  • %WINDIR%\m.iq
  • %WINDIR%\gc.iq
  • %WINDIR%\SYSTEM32\drivers\etc\hosts
  • %WINDIR%\pspv.iq
  • %WINDIR%\w.exe
  • %WINDIR%\tryme.iq
  • %WINDIR%\im.iq
  • %WINDIR%\rd.iq
  • %TEMP%\~DFAFA.tmp
  • %WINDIR%\m.exe
  • %WINDIR%\SendEmail.dll
  • %WINDIR%\b.bat
  • %WINDIR%\op.iq

The following file was modified:
 

  • %WINDIR%\SYSTEM32\wbem\logs\wbemprox.log

The malware has been known to randomly delete certain existing executables and replaces the current host file.

Registry changes are made like the ones below to prevent certain system tools from running. This is a subset of the complete changes :

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adobe Gamma Loader.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\angry.bat
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtIaRP.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aNtS.ExE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apu-0607g.xml
  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\
    HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS SCRIPT HOST\SETTINGS\


The following registry element was modified:

  • HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\LOCKED = 1

The following registry key was added to get past the outlook security message prompt

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Outlook\Security\ObjectModelGuard = 0x00000002

Connections to the following resources are attempted:

  • hxxp://members.multimania.co.uk/yahoophoto/*****
  • 213.131.252.***:80

 

This virus will search and ternminate processes and services belonging to various security products.  It searches for the following strings of any running process or service:

  • 'wscsvc'
  • 'MpsSvc'
  • 'WinDefend'
  • 'wuauserv'
  • 'AntiVirWebService'
  • 'McNaiAnn'
  • 'Avast! Antivirus'
  • 'aswUpdSv'
  • 'avast! Mail Scanner'
  • 'avast! Web Scanner'
  • 'AntiVirService'
  • 'AntiVirMailGuard'
  • 'AntiVirSchedulerService'
  • 'McShield'
  • 'AntiVirFirewallService'
  • 'mfefire'
  • 'McNASvc'
  • 'Mc0obeSv'
  • 'McMPFSvc'
  • 'McProxy'
  • 'Mc0DS'
  • 'mcmscsvc'
  • 'McAfee SiteAdvisor Service'
  • 'mfevtp'
  • 'Avgfws9'
  • 'AVG Security Toolbar Service'
  • 'avg9wd'
  • 'AVGIDSAgent'
  • PAVFNSVR'
  • 'Gwmsrv'
  • 'PSHost'
  • 'PSIMSVC'
  • 'PAVSRV'
  • 'PavPrSrv'
  • 'PskSvcRetail'
  • 'Panda Software Controller'
  • 'TPSrv'
  • SfCtlCom'
  • 'TmProxy'
  • 'TMBMServer'
  • Arrakis3'
  • 'LIVESRV'
  • 'scan'
  • 'VSSERV'
  • sdAuxService'
  • 'sdCoreService'
  • 'AVP'
  • rescue32
  • vzkrnl
  • hcomm
  • hrule
  • cll
  • hum
  • iffs
  • fssync
  • msvcm80
  • msvcp80
  • msvcr80
  • mzvkb
  • com
  • rescuec
  • rvins32
  • vemu
  • curi
  • vgcc
  • msvr
  • vgserv
  • vgcc32
  • sSvc
  • meworkService
  • Mgr
  • erUI
  • shs
  • skMgr
  • 360rp
  • 360s
  • febo
  • 360
  • rSwp
  • oRun
  • oRunKiller
  • vMoni
  • CCen
  • meworkservice
  • GFUp
  • IceSwor
  • rmor
  • v32
  • VPFW
  • kissvc
  • ilmon
  • KPfwSvc
  • KRegE
  • KVSrv
  • KVWSC
  • Mmsk
  • psvc
  • PFW
  • vservice
  • rfwm
  • rfwPro
  • rfwsrv
  • Rfws
  • SREngL
  • oruns
  • orunsc
  • reg
  • ini
  • bin
  • 8be16
  • 00hoe
  • 6fnlpe
  • lky
  • m2nl
  • rcuk
  • whi
  • msiz
  • wscn
  • 32krn
  • 32kui
  • swBoo
  • isp
  • shServ
  • Vis
  • shWebSv
  • shM
  • iSv
  • shLogV
  • swRegSvr
  • shSkPcc
  • swUp
  • shQuick
  • shEnhc
  • shPopWz
  • sche
  • shUp
  • vgine
  • vgrssvc
  • vgsc
  • vgupsvc
  • vgemc
  • vgw
  • svc
  • vgrs
  • vgn
  • vno
  • ify
  • vsc
  • vgu
  • vcen
  • min
  • licmgr
  • ekrn
  • vconfig
  • ilc
  • gui
  • preup
  • wsc
  • ool
  • gen
  • subwiz
  • Survey
  • seccen
  • uisc
  • vsserv
  • IEShow
  • unins
  • iss
  • licreg
  • VCm
  • VRep
  • fIns
  • VRi
  • Msg
  • VServer
  • FPro
  • fpsc
  • yproc
  • FPWin
  • fssf
  • llC
  • user
  • ump
  • mcregwiz
  • mcup
  • mgr
  • ppins
  • mcinfo
  • mgh
  • mcmnh
  • mcinsup
  • McShiel
  • mcvsm
  • McVSEscn
  • mcvsf
  • scln
  • vfin
  • VP32
  • VPCC
  • VPM
  • PW32
  • VW32
  • ICLO
  • ICMON
  • ICSUPP95
  • ICSUPPN
  • mserv
  • FRW
  • ckice
  • zone
  • vsmon
  • WrC
  • cle
  • ner3
  • ner
  • MooLive
  • lock
  • own2000
  • Sphin
  • VSHWIN32
  • VSECOMR
  • WEBSC
  • VCONSOL
  • VSS
  • 2free
  • 2service
  • 2up
  • 2cm
  • vEmSrv
  • vmr
  • vMU
  • VSCons
  • vse
  • vSn
  • vSub
  • VSubmi
  • vUM
  • vUserUp
  • vvl
  • CEmRep
  • Ins
  • Lsp
  • ccessIns
  • ller
  • unp_
  • UPS
  • ker
  • UUp
  • F5Serv
  • FrzS
  • e2k
  • obe G
  •  Lo
  • WIN
  • vcim
  • VENGINE
  • PSHos
  • vFnSvr
  • VSRV51
  • PsC
  • rlS
  • PsImSvc
  • PSC
  • pskmssvc
  • vRepor
  • vsche
  • PSrv
  • WEBPRO

 

   

AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

Extra.DAT


An Extra.DAT is available to detect and repair this threat.

Stinger
A Stinger tool for W32/VBMania@MM has been posted to help detect and repair this threat.