Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/VB.OOB is a trojan that deletes files in specific folders.
Installation
When executed, the trojan creates the following folders:
  • %windir%\system32w
  • %windir%\system32e
  • %windir%\TR1
The following files are dropped :
  • %windir%\system32w\IOASAL.DLL
  • %windir%\system32w\smss.GELGG
  • %windir%\system32w\services.GELGG
  • %windir%\system32w\winlogon.GELGG
  • %windir%\system32e\services.exe
  • %windir%\system32e\TR07C.DLL
The trojan creates and runs a new thread with its own program code within the following processes:
  • smss.exe
Payload information
Win32/VB.OOB is a trojan that deletes files in specific folders. The trojan searches local drives for files with the following file extensions:
  • *.*
It avoids files which contain any of the following strings in their path:
  • %windir%
  • Local Setting
  • Application Data
  • Temp
  • RECYCLE
more...
When the trojan finds a file matching the search criteria, it creates a new file.

The file name and extension of the newly created file is derived from the original one.

An additional ".T-652D.PNG" extension is appended. The file is JPEG image.

Some examples follow.
(1.)

(2.)

(3.)

(4.)
Size of the file is 21901 B, 305801 B .

The trojan then deletes the original files.
Other information
The trojan may execute the following commands:
  • command.com /c ipconfig /all
  • command.com /c tracert www.google.co.jp
  • command.com /c tracert www.yahoo.co.jp
  • command.com /c tracert www.goo.ne.jp