Aliases: Trojan.Win32.VB.aw, Troj/VB-AW, Trojan:Win32/VB.AW
Variants: Trojan.VB.AW, Trojan Horse, Win32/VB.AW,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 18 Jun 2003
Damage: Low

Characteristics: The W32.Shermnar.B.Worm program is a threat that tries to multiply using the Kazaa peer to peer network. It makes multiple duplicates of itself in the directory.

More details about W32.Shermnar.B.Worm

When the W32.Shermnar.B.Worm program is opened, it displays a message box and an image that has German text on it. It makes the “directory:%Windir%Fonts^-^”. Then, it makes a few hundred duplicates of itself in the “%Windir%Fonts^-^” folder under different names such as “666.exe”, “Hotmailhack.exe”, “LordOfTheRings3-FullDownloader.exe”, “SIMS-FullDownloader.exe”, “KillOsamaBinLaden-FullGame.exe”, “StarWars2 - CloneAttack - FullDownloader.exe”, and “Necronomikon-is-back.exe”. It also makes files w/ the “3~34” and “Minerva” prefixes followed by the random numbers. Then, it adds the value “DIdir0” = “%Windir%Fonts^-^” to the registry key, to create the new directory available to other “Kazaa” users. It also tries to set itself to open automatically on startup by changing the registry; however, it doesn’t succeed because of a bug in the code.

The application may place its components in varying locations. This is so it will not be easy to detect or delete. The files may also be saved with varying names. It may mimic the names of system files. They may also use random character sequences. The W32.Shermnar.B.Worm software reportedly uses both DLL (Dynamic Link Libraries) and EXE files. Both kinds of files are added to the system registry. The DLL modules are registered as BHO (Browser Helper Object) programs. The EXE files are registered as startup processes.