Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/TrojanDropper.VB.NPT

Aliases:Trojan-Downloader.Win32.Agent.eefk (Kaspersky), TrojanDownloader:Win32/Bulilit.A (Microsoft) 
Type of infiltration:Trojan  
Size:73216 B 
Affected platforms:Microsoft Windows 
Signature database version:5335 (20100802) 

Short description

Win32/TrojanDropper.VB.NPT is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX.

Installation

When executed, the trojan copies itself into the following location:
  • C:WINDOWSsystem32%filename%.exe
A string with variable content is used instead of %filename%.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "RunmeAtStartup" = "C:WINDOWSsystem32%filename%.exe"
The trojan creates the following files:
  • %temp%svchost.exe (55577 B, Win32/AntiAV.NGX)
  • C:rec.bat
The files are then executed.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:
  • editor
  • ethereal
  • c32asm
  • hex
  • hiew
  • ollyice
  • editor
  • ethereal
  • c32asm
  • hex
  • hiew
  • ollyice
  • peid
  • sniff
  • ultraEdit
  • vmusrvc
  • vmware
  • VMwareTray.exe
  • w32dasm
The trojan contains a list of (6) URLs.

It tries to download several files from the addresses.

These are stored in the following locations:
  • C:WINDOWSsystem32%variable%.exe
  • C:WINDOWSsystem32%variable%.dll
A string with variable content is used instead of %variable%.

The HTTP protocol is used. The files are then executed.

The trojan may create the following files:
  • C:WINDOWSsystem32xvhost.sb