Full description

Virus:	BDS/VB.avf
Date discovered:	29/08/2006
Type:	Backdoor Server
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	48.188 Bytes
MD5 checksum:	eecffebb81611d60d3c82748ac84433a
VDF version:	6.35.00.107
IVDF version:	6.35.00.133 - Friday, July 7, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: Infostealer.Lemir
   • Kaspersky: Backdoor.Win32.VB.avf
   • TrendMicro: BKDR_VB.SE
   • VirusBuster: Backdoor.VB.WOM
   • Bitdefender: Backdoor.VB.ARA

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Registry modification
   • Steals information
   • Third party control

Files It copies itself to the following locations:
   • %WINDIR%\SMSS.EXE
   • %SYSDIR%\rundll32.com
   • %SYSDIR%\finder.com
   • %SYSDIR%\MSCONFIG.COM
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\regedit.com
   • %WINDIR%\finder.com
   • %WINDIR%\explorer.com
   • %WINDIR%\1.com
   • %WINDIR%\ExERoute.exe
   • %PROGRAM FILES%\Internet Explorer\iexplore.com
   • %SYSDIR%\command.pif
   • %PROGRAM FILES%\Common Files\iexplore.pif
   • D:\pagefile.pif

The following files are created:

– %WINDIR%\BOOT.BIN.BAK
– D:\autorun.inf

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "TProgram"="%WINDIR%\SMSS.EXE"

The following registry keys are added:

– [HKCR\winfiles\DefaultIcon]
   • "(Default)"="%1"

– [HKCR\winfiles\Shell\Open\Command]
   • "(Default)"="%WINDIR%\ExERoute.exe "%1" %*"

The following registry keys are changed:

– [HKCR\.lnk\ShellNew]
   New value:
   • "command"="rundll32.com appwiz.cpl,NewLinkHere %1"

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   New value:
   • "Check_Associations"="No"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe 1"

– [HKCR\.bfc\ShellNew]
   New value:
   • "command"="%SystemRoot%\system32\rundll32.com %SystemRoot%\system32syncui.dll,Briefcase_Create %2!d! %1"

– [HKCR\cplfile\shell\cplopen\command]
   New value:
   • "(Default)"="rundll32.com shell32.dll,Control_RunDLL %1,%*"

– [HKCR\dunfile\shell\open\command]
   New value:
   • "(Default)"="%SystemRoot%\system32\rundll32.com NETSHELL.DLL,InvokeDunFile %1"

– [HKCR\htmlfile\shell\Print\command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Microsoft Office\Office10\msohtmed.exe" /p %1"

– [HKCR\inffile\shell\Install\command]
   New value:
   • "(Default)"="%SystemRoot%\System32\rundll32.com setupapi,InstallHinfSection DefaultInstall 132 %1"

– [HKCR\InternetShortcut\shell\open\command]
   New value:
   • "(Default)"="finder.com shdocvw.dll,OpenURL %l"

– [HKCR\scrfile\shell\install\command]
   New value:
   • "(Default)"="finder.com desk.cpl,InstallScreenSaver %l"

– [HKCR\scriptletfile\Shell\Generate Typelib\command]
   New value:
   • "(Default)"=""%SYSDIR%\finder.com" %WINDIR%\System32scrobj.dll,GenerateTypeLib "%1""

– [HKCR\telnet\shell\open\command]
   New value:
   • "(Default)"="finder.com url.dll,TelnetProtocolHandler %l"

– [HKCR\Unknown\shell\openas\command]
   New value:
   • "(Default)"="%SystemRoot%\system32\finder.com %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1"

– [HKCR\htmlfile\shell\open\command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– [HKCR\Applications\iexplore.exe\shell\open\command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– [HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\
   OpenHomePage\Command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com""

– [HKCR\ftp\shell\open\command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– [HKCR\htmlfile\shell\opennew\command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Common Files\iexplore.pif" %1"

– [HKCR\http\shell\open\command]
   New value:
   • "(Default)"=""%PROGRAM FILES%\Common Files\iexplore.pif" -nohome"

– [HKCR\Drive\shell\find\command]
   New value:
   • "(Default)"="%SystemRoot%\explorer.com"

– [HKCR\.exe]
   New value:
   • "(Default)"="winfiles"

Process termination List of processes that are terminated:
   • CCENTER%random character string%; ASSISTSE%random character
      string%; KPFW%random character string%; AGENTSVR%random
      character string%; KV%random character string%;
      KREG%random character string%; IEFIND%random character
      string%; IPARMOR%random character string%; SVI.EXE;
      UPHC%random character string%; RULEWIZE%random character
      string%; FYGT%random character string%; RFWSRV%random
      character string%; RFWMA%random character string%

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Monica Ghitun on Tuesday, August 29, 2006
Description updated by Monica Ghitun on Friday, November 24, 2006

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools