Win32.VanBot.cq is a worm that spreads through network shares infecting all the systems in the network.

Win32.VanBot.cq has a backdoor functionality which allows a hacker to gain access and control of the system.

Win32.VanBot.cq includes following functionality:
1.To exploit system vulnerabilities.
2.To install itself into the registry.
3.To download code from the internet.
4.To gain remote access and control of the system.

On Execution, Win32.VanBot.cq copies itself to %Systemdir%\gummy.exe and creates the files %systemdrive%\zzzz.exe and %Windir%\superproxy.exe.

In order to run gummy.exe and superproxy.exe on startup, following registry entries are created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
gummy
%Systemdir%\gummy.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
superproxy
%Windir%\superproxy.exe

Name: Win32.VanBot.cq
Type: Worm
How it spreads: Network shares
Affected operating systems: Windows
Aliases: W32/Vanebot-AQ
Date of surface: 2 may 2007

© mml