Virus:TR/VB.QN.1
Date discovered:20/12/2004
Type:Trojan
Subtype:Downloader
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:77.312 Bytes
MD5 checksum:976753dd82759b6ca8f5c4b62cc25f92
VDF version:6.29.00.24

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Prutec
   •  Kaspersky: Trojan-Spy.Win32.VB.eh
   •  Sophos: Troj/Prutec-K
   •  Bitdefender: Trojan.Spy.VB.ED


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Disable security applications
   • Downloads files
   • Downloads malicious files
   • Drops files
   • Registry modification
   • Third party control

 Files It copies itself to the following location:
   • %malware execution directory%\%random character string%.exe



It deletes the initially executed copy of itself.



It deletes the following file:
   • %system drive root%\~



The following files are created:

– Non malicious files:
   • %malware execution directory%\key.~
   • %malware execution directory%\log.~

%TEMPDIR%\%hex number%.exe



It tries to download a file:

– The location is the following:
   • http://prutect.com/**********
It is saved on the local hard drive under: %malware execution directory%\iniwin32.dll Furthermore this file gets executed after it was fully downloaded. Further investigation pointed out that this file is malware, too. Detected as: ADSPY/E2Give.D

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%executed file%"="%malware execution directory%\%executed file%"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • "%executed file%"="%malware execution directory%\%executed file%"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • "%executed file%"="%malware execution directory%\%executed file%"



The values of the following registry keys are removed:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • ptech
   • PTECH
   • ptach
   • PTACH
   • ptich
   • PTICH

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
   • ptech
   • PTECH
   • ptach
   • PTACH
   • ptich
   • PTICH

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
   Run]
   • ptech
   • PTECH
   • ptach
   • PTACH
   • ptich
   • PTICH



The following registry keys are added:

– [HKCR\CLSID\{%generated CLSID%}]
   • "InprocServ32"="%malware execution directory%\%executed file%"

– [HKCR\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]
   • @="CControl Object"
   • "AppID"=""
   • "AppId2"=dword:%hex number%
   • "AppID3"="Verified"

– [HKCR\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\InprocServer32]
   • "ThreadingModel"="apartment"

– [HKCR\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\ProgID]
– [HKCR\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\Programmable]
– [HKCR\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\TypeLib]
– [HKCR\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}\
   VersionIndependentProgID]
– [HKCR\AppID\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}]
– [HKCR\AppID\IeBHOs.DLL]
– [HKCR\IeBHOs.Control\CurVer]
   • @="IeBHOs.Control.1"

– [HKCR\IeBHOs.Control\CLSID]
– [HKCR\IeBHOs.Control.1\CLSID]
– [HKCR\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\0\win32]
– [HKCR\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\FLAGS]
– [HKCR\TypeLib\{3B99F202-145A-4E5A-AC7B-88A36910BF5E}\1.0\HELPDIR]
– [HKLM\SOFTWARE\E2G]
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]


The following registry key is changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   Old value:
   • "AppInit_DLLs"="%user defined settings%"
   New value:
   • "AppInit_DLLs"="iniwin32.dll"

 Backdoor Contact server:
All of the following:
   • http://prutect.com/**********
   • http://prutect.com/**********
   • http://216.122.145.209/**********
   • http://216.122.145.208/**********
   • http://prutect.com/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a CGI script.
This is done via the HTTP POST method using a CGI script.
The servers answer is written to the file: %malware execution directory%\data.~


Sends information about:
    • Current malware status
    • Platform ID
    • Information about the Windows operating system


Remote control capabilities:
    • Download file
    • Visit a website

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Daniel Constantin on Thursday, May 4, 2006
Description updated by Daniel Constantin on Thursday, May 4, 2006

Back . . . .