Selected viruses, spyware, and other threats: sorted alphabetically
Win32/VBbot.V
|
Short description
The trojan contains a backdoor. It can be controlled remotely.Installation
The trojan creates the following files:- %system%msconfig32.sys (1133 B)
- %programfiles%Javajre6binzf32.dll (28672 B)
- %programfiles%Javajre6binjucheck.exe (155648 B)
- %appdata%msconfig32.sys (1133 B)
- %appdata%Javajre6binzf32.dll (28672 B)
- %appdata%Javajre6binjucheck.exe (155648 B)
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"Java online update program" =
"%appdata%Javajre6binjucheck.exe" - [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesjucheck]
"Type" = 16
"Start" = 2
"ErrorControl" = 2
"ImagePath" = "%programfiles%Javajre6binjucheck.exe"
"DisplayName" = "Java online update program"
"DependOnService" = "RpcSs"
"DependOnGroup" = ""
"ObjectName" = "LocalSystem"
"Description" = "Java(TM) Update Checker. This service
will check new update for your Java product."
- [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
Run]
"Java online update program" =
"%appdata%Javajre6binjucheck.exe" - [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesjucheck]
"Type" = 16
"Start" = 2
"ErrorControl" = 2
"ImagePath" = "%programfiles%Javajre6binjucheck.exe"
"DisplayName" = "Java online update program"
"DependOnService" = "RpcSs"
"DependOnGroup" = ""
"ObjectName" = "LocalSystem"
"Description" = "Java(TM) Update Checker. This service
will check new update for your Java product." - [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesjucheck
Security]
"Security" = %hex_value% - [HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesjucheck
Enum]
"0"="RootLEGACY_JUCHECK�000"
"Count" = 1
"NextInstance" = 1 - [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_JUCHECK]
"NextInstance" = 1
- [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_JUCHECK
0000]
"Service" = "jucheck"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "Java online update program" - [HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_JUCHECK
0000Control]
"*NewlyCreated*" = 0
"ActiveService" = "jucheck"
- [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDhcp]
"DependOnService" = "jucheck" - [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesDnsCache]
"DependOnService" = "jucheck" - [HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceslanmanworkstation]
"DependOnService" = "jucheck" - [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Minimaljucheck]
"(Default)" = "Service" - [HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSafeBoot
Networkjucheck]
"(Default)" = "Service"
- [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess
ParametersFirewallPolicyStandardProfileAuthorizedApplications
List]
"%programfiles%Javajre6binjucheck.exe" =
"%programfiles%Javajre6binjucheck.exe:*:Enabled:Java(T
M) Update Checker"
Other information
The trojan acquires data and commands from a remote computer or the Internet.The trojan contains a list of 4 URLs.
It can execute the following operations:
- collect information about the operating system used
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
- capture screenshots
- create files
- collect information about the operating system used
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
- capture screenshots
- create files
- delete files
- create folders
- delete folders
