W32/Vanebot-R
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 10 % (Normal) |
| Infected Computers: | 1 |
| First Seen: | January 4, 2013 |
| Last Seen: | February 7, 2023 |
| OS(es) Affected: | Windows |
The W32/Vanebot-R Worm is a dangerous malware infection that was mainly active in 2006 and 2007. Although infections involving W32/Vanebot-R may still appear, they are much less frequent than before thanks to the efforts of PC security researchers and the advancement of the anti-malware programs technology. W32/Vanebot-R spreads using the following pathways:
- W32/Vanebot-R may be distributed by compromised MS SQL servers which may be infected due to using weak passwords or security settings.
- W32/Vanebot-R can spread on a network through shared folders and drives.
- W32/Vanebot-R can also take advantage of a security vulnerability present in Microsoft Server Service known as MS06-040. By using this vulnerability, the remote code (such as W32/Vanebot-R's executable file) can be executed on the victim's computer.
- W32/Vanebot-R is often spread through instant message spam sent from an infected computer.
Table of Contents
How Criminals Profit from Using W32/Vanebot-R to Infect a Computer
Once a computer is infected, W32/Vanebot-R will contact an IRC server so W32/Vanebot-R can receive instructions, effectively integrating the infected computer into a botnet. Using this botnet, the criminals responsible for the W32/Vanebot-R infection managed to generate thousands of dollars in illegal revenue. W32/Vanebot-R has been used in various scams. However, the most notorious involved infecting computers in order to earn money from affiliate marketing. An adware company paid people to install adware on vulnerable computers. Using this adware affiliate scheme, computers infected with W32/Vanebot-R were then used to spread W32/Vanebot-R further. Each computer infected with W32/Vanebot-R would, in turn, have this adware installed on its drive. Although there are more sophisticated ways of profiting from botnets (such as generating bitcoins or using them to steal banking information and carry out credit card fraud), when W32/Vanebot-R was mainly active, this was the principal way of generating revenue from a botnet infection.
The most common file name associated with W32/Vanebot-R is some variation of 'redworld'. Some examples of typical file names associated with W32/Vanebot-R include the following:
- redworld.exe
- redworld2.exe
- (random number string)_redworld2.exe
W32/Vanebot-R makes changes to the Windows Registry which allows W32/Vanebot-R to start up automatically when Windows is launched; W32/Vanebot-R disguises itself as a 'Microsoft Security Login Service'. W32/Vanebot-R also makes changes to the Windows Registry that allows W32/Vanebot-R to disable the infected computer's firewall and to interfere with security software installed on the victim's computer.
File System Details
| # | File Name |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|
| 1. | [RANDOM CHARACTERS]_redworld2.exe | |
| 2. | redworld.exe | |
| 3. | redworld2.exe | |
| 4. | [Windows system folder]\dllcache\mssecure32.exe |
Registry Details
URLs
W32/Vanebot-R may call the following URLs:
| thesearchconverters.com |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.