Need help? Ask the community or hire an expert.
Go to Avira Answers
Nume:TR/VB.BG
Descoperit pe data de:03/03/2004
Tip:Troian
ITW:Nu
Numar infectii raportate:Scazut
Potential de raspandire:Scazut
Potential de distrugere:Scazut spre mediu
Fisier static:Da
Marime:131.116 Bytes
MD5:e4a6af3171e95e337527bbffc1201382
Versiune VDF:6.24.00.39

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Kaspersky: Virus.Win32.VB.bg
   •  F-Secure: Virus.Win32.VB.bg
   •  Grisoft: Worm/VB.ZU
   •  Eset: Win32/VB.DA


Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Efecte secundare:
   • Creeaza fisiere
   • Reduce setarile de securitate
   • Modificari in registri

 Fisiere Se copiaza in urmatoarele locatii:
   • C:\mig2.exe
   • %WINDIR%\mig2.exe
   • %SYSDIR%\shell.exe
   • %SYSDIR%\MrHelloween.scr
   • %SYSDIR%\IExplorer.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SMSS.EXE
   • %unitate disc%\Data %numele utilizatorului curent%.exe
   • %directorul curent%\%numele directorului curent%.exe
   • %unitate disc%\mig2\New Folder.exe



Creeaza urmatorul director:
   • %unitate disc%\mig2



Sunt create fisierele:

C:\Untukmu.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Untukmu
     
     Apa yang aku lakukan tak akan kau rasakan
     Apa yang kau lakukan tak akan aku rasakan
     Benar-benar jauh, jarak kita
     Aku terpaksa,lakukan ini krana kau yang mengawali..
     
     Senyummu adalah sedihku
     Sedihmu adalah tawaku
     
     Tangisku bukan milikmu
     Tangismu adalah milikku
     
     masih ada lagi yang ku kejar saat ini
     saat,ini aku akan mulai mengejar yang lain
     Lepaskan Dendam dan tawaku saat ini
     JUST, 4u MIG - MIG

%WINDIR%\msvbvm60.dll
%SYSDIR%\msvbvm60.dll
%unitate disc%\mig2\Folder.htt
%unitate disc%\desktop.ini

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Logon%numele utilizatorului curent%"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
   • "System Monitoring"="%HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mig2"="%WINDIR%\mig2.exe"
   • "Service%numele utilizatorului curent%"="%HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
   • "MSMSGS"="%HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"



Urmatoarele chei din registri sunt modificate:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   Noua valoare:
   • "Shell"="Explorer.exe "%SYSDIR%\IExplorer.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\IExplorer.exe"

[HKCR\exefile]
   Vechea valoare:
   • @="Application"
   Noua valoare:
   • @="File Folder"

[HKCR\exefile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
   Vechea valoare:
   • "Auto"="1"
   • "Debugger"="drwtsn32 -p %ld -e %ld -g"
   Noua valoare:
   • "Auto"="1"
   • "Debugger"="%SYSDIR%\Shell.exe"

Diverse setari in Explorer:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=%setarile utilizatorului%
   • "HideFileExt"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

[HKCU\Control Panel\Desktop]
   Vechea valoare:
   • "ScreenSaverIsSecure"="1"
   • "SCRNSAVE.EXE"=%setarile utilizatorului%
   Noua valoare:
   • "ScreenSaverIsSecure"="0"
   • "SCRNSAVE.EXE"="%SYSDIR%\MRHELL~1.SCR"

[HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Vechea valoare:
   • "AlternateShell"="cmd.exe"
   Noua valoare:
   • "AlternateShell"="%WINDIR%\mig2.exe"

[HKCR\lnkfile\shell\open\command]
   Vechea valoare:
   • @=" "%1" %*"
   Noua valoare:
   • @=" "%SYSDIR%\shell.exe" "%1" %*"

[HKCR\piffile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

[HKCR\batfile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

[HKCR\comfile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

Dezactivarea programelor Regedit si Task Manager:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableCMD"=%setarile utilizatorului%
   • "DisableTaskMgr"=%setarile utilizatorului%
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableCMD"=dword:00000001
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

Diverse setari in Explorer:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Vechea valoare:
   • "NoFolderOptions"=%setarile utilizatorului%
   Noua valoare:
   • "NoFolderOptions"=dword:00000001

[HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   Vechea valoare:
   • "DisableConfig"=%setarile utilizatorului%
   • "DisableSR"=%setarile utilizatorului%
   Noua valoare:
   • "DisableConfig"=dword:00000001
   • "DisableSR"=dword:00000001

[HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   Noua valoare:
   • "LimitSystemRestoreCheckpointing"=dword:00000001
   • "DisableMSI"=dword:00000001

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Noua valoare:
   • "FullPathAddress"=dword:00000001

 Terminarea proceselor Lista cu procesele oprite:
   • regedit.exe; AVP.exe; rtvscan.exe; NAV.exe; VSHWIN32.exe;
      ProcessManager.exe; RegistryEditor.exe; Msiexec.exe; avgemc.exe;
      nvcoas.exe; mcvsescn.exe; firefox.exe; TASKMGR.EXE; setup.exe;
      Opera.exe; avguad.exe.; avgnt.exe; killvb.exe; Msi.exe

Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • ANT; BRO; VIR; TASK; REG; ASM; DBG; W32; BUG; HEX; DETEC; PROC; WALK;
      REST; AVS; OPTIONS; AVG; SYMANTEC; PANDA; MCAFEE; PC-CILLIN; F-PROT;
      KASPERSKY; VAKSIN; ANTI; VIRUS

Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
   • RegEdit_RegEdit
   • Registry Editor
   • Folder Options
   • Local Settings


Urmatorul serviciu este dezactivat:
   • System Restore

 Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Description inserted by Adriana Popa on Tuesday, November 21, 2006
Description updated by Adriana Popa on Thursday, November 23, 2006

Back . . . .