General Explanation

Type: Worm

Degree of destruction: average

Prevalence: high

Names of the malware:

  • Worm.Win32.VBNA.bilz (Padvish)
  • PUA: Win32/Creprote (Microsoft)
  • Win32/AutoRun.VB.XW (ESET-NOD32)

What is the Worm?

Computer worms such as pykspa are kinds of malware that can reproduce themselves. Worms set methods to persist their existence in every boot. The prominent feature of worms is their distribution which generally happens through portable drivers or shared directories in the network.

What is VBNA malware?

This malware disables many Windows monitoring tools and then forces the user to download other malwares (mostly adware) through other browsers. Then, after changing settings, this malware can execute along with all other .exe files.

Technical Explanation

Signs of infection

  • Disabling the Windows monitoring tools
  • Disabling Windows update notifications
  • Disabling UAC service notification
  • Disabling system firewall and different antivirus notifications
  • Disabling the system firewall completely
  • Adding the name of the malware and its complete address to the Windows Firewall white list.
  • Disabling Windows Cmd and Windows Task Manager
  • Disabling Run and Start Menu options of the system
  • Disabling the System Restore setting
  • Disabling the System alert sound in the time of any incidents

[HKCU\Control Panel\Sound] = "Beep: no"

  • It will add a copy of the original file in the following paths:
    • %UserProfile%\2626A7C626\winlogon.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Media Center.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Windows DVD Maker.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Fax y Escáner de Windows.exe
    • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe

Generally, the malware hides all of its files and adds them to the mentioned addresses of the victim system.

  • It will change the Host file of the system so that the system can connect to non-relevant websites instead of security websites or antivirus-related websites.

A sample of the changed Host file:


The goal of the malware

  1. Decreasing the OS safety
  2. Downloading different adware

At the distributing level, this malware copies itself in the portable drives. Then, it will hide all files of its desired drive and creates a shortcut to the main malware file that contains the same icon and specification as the original file.

Also, the malware will change the method of displaying the Shortcut icon.


Value: lnkfile = "IsShortcut"


Value: piffile = "IsShortcut"

The following figure is an infected Flash Drive. As you can see, created shortcut icons has no difference from the normal file icons.



How to deal with it and disinfect the system 

Padvish Antivirus with UMP as a part of behavioral protection can prevent the portable drive from infection. Hence, to prevent any infection such as infection to the mentioned malware by any portable drives it is recommended to install Padvish on your system.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>