Mal/Rungbu-A, VB.AGT, W32/VBWorm.NWB, Win32/Gnurbulf.H, Worm.VB.Rungbu.A,
Worm.Win32.VB.du, Worm.Win32.VB.du, Worm/VB.DU.12, WORM_VB.FJD, ~Virus:Win32/Rungbu.gen!C
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
23 Aug 2006
The W32/Rungbu program is a virus that replaces Microsoft Word document files with a copy of itself, appending the original Microsoft Word document to it. The virus affects Windows Operating System platforms such as Windows 2000, Windows 98, Windows 95, Windows NT, Windows Me, Windows XP, and Windows Server 2003
W32.Rungbu Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Rungbu from your computer.
More details about W32.Rungbu
Once the W32.Rungbu progra, is executed, it creates SVCHOST.EXE, SPOOLSV.EXE, CTFMON.EXE, SMSS.EXE in the drive on which windows is installed. It also creates docicon.exe in windows installation folder and Burung.txt in the current user’s profile folder. The worm also adds and modifies values to the registry sub key to hide file extensions on the compromised computer and makes Microsoft word as the default program for starting .scr files. After the worm has created files on the specified location and changed values on the registry, it opens Microsoft word and displays a dialog box stating that Word does not have the plugin required for the document. It then asks you if you want to install it. It sets the hidden attribute in the original Word document so the file will not be visible on the compromised computer. It saves a copy of itself as an .scr file using the file name of the Word document and appends a copy of the original Word document to the virus.
One of the most common distribution medium used by the W32.Rungbu program is via email. The application has a mass mailing feature. Email addresses cached on the computer are used by the program as its recipients. The installation of the W32.Rungbu application is initialized when the email attachment is clicked. It prompts the user to download a file. The attached file encrypted with the W32.Rungbu program is commonly an executable file disguised as an installer of a useful application. The application also has a rootkit function. The rootkit feature enables the program to create hidden registry entries and files on the computer. The W32.Rungbu program is configured to execute automatically at every Windows start up.