What is it?
Vsvbvvsq.exe is a file associated with the W32.Mydoom.U@mm mass mailing worm.
What does it do?
W32.Mydoom.U@mm is a mass-mailing worm that uses its own SMTP engine to
send itself to the email addresses that it finds on an infected
computer. The subject and message body vary, and the attachment has a
.bat, .cmd, .exe, .pif, .scr, or .zip extension. It is similar to
W32.Mydoom.P@mm.
When W32.Mydoom.U@mm is executed, it does the following:
- Copies itself as %System% askmon.exe.
Notes: - Taskmon.exe is a legitimate file in the
Windows 95/98/Me operating systems, but is in the %Windir% folder, not
the %System% folder. (By default, this is C:Windows or C:Winnt.) Do
not delete the legitimate file in the %Windir% folder.
- %System%
is a variable that refers to the System folder. By default, this is
C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows
NT/2000), or C:WindowsSystem32 (Windows XP).
- Creates the file, %Temp%Message, and then opens it with Notepad.
Note: %Temp% is a variable that refers to the Windows
temporary folder. By default, this is C:WindowsTEMP (Windows
95/98/Me/XP) or C:WINNTTemp (Windows NT/2000). - Creates a mutex, "SwebSipcSmtxS1," which allows only one instance of the worm to run in memory.
- Creates the registry key:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
ExplorerComDlg32Version - Downloads a file from a predefined Web page as vsvbvvsq.exe, and then runs the file.
More info and Removal
@symantec