Aliases: Mal/Rungbu-A, VB.AGT, W32/VBWorm.NWB, Win32/Gnurbulf.H, Worm.VB.Rungbu.A,
Variants: Worm.Win32.VB.du, Worm.Win32.VB.du, Worm/VB.DU.12, WORM_VB.FJD, ~Virus:Win32/Rungbu.gen!C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 23 Aug 2006
Damage: Low

Characteristics: The W32/Rungbu program is a virus that replaces Microsoft Word document files with a copy of itself, appending the original Microsoft Word document to it. The virus affects Windows Operating System platforms such as Windows 2000, Windows 98, Windows 95, Windows NT, Windows Me, Windows XP, and Windows Server 2003

More details about W32.Rungbu

Once the W32.Rungbu progra, is executed, it creates SVCHOST.EXE, SPOOLSV.EXE, CTFMON.EXE, SMSS.EXE in the drive on which windows is installed. It also creates docicon.exe in windows installation folder and Burung.txt in the current user’s profile folder. The worm also adds and modifies values to the registry sub key to hide file extensions on the compromised computer and makes Microsoft word as the default program for starting .scr files. After the worm has created files on the specified location and changed values on the registry, it opens Microsoft word and displays a dialog box stating that Word does not have the plugin required for the document. It then asks you if you want to install it. It sets the hidden attribute in the original Word document so the file will not be visible on the compromised computer. It saves a copy of itself as an .scr file using the file name of the Word document and appends a copy of the original Word document to the virus.

One of the most common distribution medium used by the W32.Rungbu program is via email. The application has a mass mailing feature. Email addresses cached on the computer are used by the program as its recipients. The installation of the W32.Rungbu application is initialized when the email attachment is clicked. It prompts the user to download a file. The attached file encrypted with the W32.Rungbu program is commonly an executable file disguised as an installer of a useful application. The application also has a rootkit function. The rootkit feature enables the program to create hidden registry entries and files on the computer. The W32.Rungbu program is configured to execute automatically at every Windows start up.