This application requires Javascript for optimal performance.

W32/VB.XCK!tr - Released Oct 28, 2009 - Last Updated Sep 01, 2010

Alias/es

P2P-Worm.Win32.BlackControl.f (KAV), Worm.Merond.N (Virusbuster)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms


  • The following files exist:

    • %System%\hp-357.exe
    • %System%\HPWuSchdb.exe
    • %Application Data\SystemProc\lsass.exe
    • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul
    • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
    • %Program Files%\Mozilla Firefox\extensions\{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf

Detailed Analysis


  • Creates the following registry:

    • key: HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
    • value: %System%\HPWuSchdb.exe\
    • data: %System%\HPWuSchdb.exe:*:Enabled:Explorer

    • key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\
    • value: %System%\HPWuSchdb.exe\
    • data: %System%\HPWuSchdb.exe:*:Enabled:Explorer

    • key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
    • value: RTHDBPL
    • data: %Application Data%\SystemProc\lsass.exe

    • key: HKU\S-1-5-21-[Varies]\Software\Microsoft\Windows\CurrentVersion\Run\
    • value: HP Software Updater v1.1
    • data: %System%\HPWuSchdb.exe

  • Terminates the processes associated with the following antivirus programs:

    • avast
    • avg
    • McAfee
    • NOD32
    • Rising
    • K7Security Suite
    • symantec
    • Sophos
    • Panda
    • WinDefend
    • Avira
    • BitDefender
    • Trend
    • Kaspersky
    • f-secure

  • Spreads itself through the following ways:

      It infects removable drives.
    • If ICQ is installed, it copies itself to the ICQ default shared folder.
    • It sends itself through Thunderbird, if Thunderbird is installed.


Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 1099196