Full description

Nume:	TR/VB.BG
Descoperit pe data de:	03/03/2004
Tip:	Troian
ITW:	Nu
Numar infectii raportate:	Scazut
Potential de raspandire:	Scazut
Potential de distrugere:	Scazut spre mediu
Fisier static:	Da
Marime:	131.116 Bytes
MD5:	e4a6af3171e95e337527bbffc1201382
Versiune VDF:	6.24.00.39

General Metoda de raspandire:
   • Nu are rutina proprie de raspandire

Alias:
   • Kaspersky: Virus.Win32.VB.bg
   • F-Secure: Virus.Win32.VB.bg
   • Grisoft: Worm/VB.ZU
   • Eset: Win32/VB.DA

Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Efecte secundare:
   • Creeaza fisiere
   • Reduce setarile de securitate
   • Modificari in registri

Fisiere Se copiaza in urmatoarele locatii:
   • C:\mig2.exe
   • %WINDIR%\mig2.exe
   • %SYSDIR%\shell.exe
   • %SYSDIR%\MrHelloween.scr
   • %SYSDIR%\IExplorer.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SMSS.EXE
   • %unitate disc%\Data %numele utilizatorului curent%.exe
   • %directorul curent%\%numele directorului curent%.exe
   • %unitate disc%\mig2\New Folder.exe

Creeaza urmatorul director:
   • %unitate disc%\mig2

Sunt create fisierele:

– C:\Untukmu.txt Acesta este un fisier text care nu prezinta pericol si are urmatorul continut:
   • Untukmu

     Apa yang aku lakukan tak akan kau rasakan
     Apa yang kau lakukan tak akan aku rasakan
     Benar-benar jauh, jarak kita
     Aku terpaksa,lakukan ini krana kau yang mengawali..

     Senyummu adalah sedihku
     Sedihmu adalah tawaku

     Tangisku bukan milikmu
     Tangismu adalah milikku

     masih ada lagi yang ku kejar saat ini
     saat,ini aku akan mulai mengejar yang lain
     Lepaskan Dendam dan tawaku saat ini
     JUST, 4u MIG - MIG

– %WINDIR%\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
– %unitate disc%\mig2\Folder.htt
– %unitate disc%\desktop.ini

Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Logon%numele utilizatorului curent%"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
   • "System Monitoring"="%HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mig2"="%WINDIR%\mig2.exe"
   • "Service%numele utilizatorului curent%"="%HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
   • "MSMSGS"="%HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

Urmatoarele chei din registri sunt modificate:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Vechea valoare:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   Noua valoare:
   • "Shell"="Explorer.exe "%SYSDIR%\IExplorer.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\IExplorer.exe"

– [HKCR\exefile]
   Vechea valoare:
   • @="Application"
   Noua valoare:
   • @="File Folder"

– [HKCR\exefile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
   Vechea valoare:
   • "Auto"="1"
   • "Debugger"="drwtsn32 -p %ld -e %ld -g"
   Noua valoare:
   • "Auto"="1"
   • "Debugger"="%SYSDIR%\Shell.exe"

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Vechea valoare:
   • "Hidden"=%setarile utilizatorului%
   • "HideFileExt"=%setarile utilizatorului%
   • "ShowSuperHidden"=%setarile utilizatorului%
   Noua valoare:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Control Panel\Desktop]
   Vechea valoare:
   • "ScreenSaverIsSecure"="1"
   • "SCRNSAVE.EXE"=%setarile utilizatorului%
   Noua valoare:
   • "ScreenSaverIsSecure"="0"
   • "SCRNSAVE.EXE"="%SYSDIR%\MRHELL~1.SCR"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Vechea valoare:
   • "AlternateShell"="cmd.exe"
   Noua valoare:
   • "AlternateShell"="%WINDIR%\mig2.exe"

– [HKCR\lnkfile\shell\open\command]
   Vechea valoare:
   • @=" "%1" %*"
   Noua valoare:
   • @=" "%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\piffile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\batfile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\comfile\shell\open\command]
   Vechea valoare:
   • @=""%1" %*"
   Noua valoare:
   • @="%SYSDIR%\shell.exe" "%1" %*"

Dezactivarea programelor Regedit si Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Vechea valoare:
   • "DisableCMD"=%setarile utilizatorului%
   • "DisableTaskMgr"=%setarile utilizatorului%
   • "DisableRegistryTools"=%setarile utilizatorului%
   Noua valoare:
   • "DisableCMD"=dword:00000001
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

Diverse setari in Explorer:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Vechea valoare:
   • "NoFolderOptions"=%setarile utilizatorului%
   Noua valoare:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   Vechea valoare:
   • "DisableConfig"=%setarile utilizatorului%
   • "DisableSR"=%setarile utilizatorului%
   Noua valoare:
   • "DisableConfig"=dword:00000001
   • "DisableSR"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   Noua valoare:
   • "LimitSystemRestoreCheckpointing"=dword:00000001
   • "DisableMSI"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Noua valoare:
   • "FullPathAddress"=dword:00000001

Terminarea proceselor Lista cu procesele oprite:
   • regedit.exe; AVP.exe; rtvscan.exe; NAV.exe; VSHWIN32.exe;
      ProcessManager.exe; RegistryEditor.exe; Msiexec.exe; avgemc.exe;
      nvcoas.exe; mcvsescn.exe; firefox.exe; TASKMGR.EXE; setup.exe;
      Opera.exe; avguad.exe.; avgnt.exe; killvb.exe; Msi.exe

Procesele care contin urmatoarele siruri de caractere sunt oprite:
   • ANT; BRO; VIR; TASK; REG; ASM; DBG; W32; BUG; HEX; DETEC; PROC; WALK;
      REST; AVS; OPTIONS; AVG; SYMANTEC; PANDA; MCAFEE; PC-CILLIN; F-PROT;
      KASPERSKY; VAKSIN; ANTI; VIRUS

Sunt inchise procesele care au titlul ferestri unul din urmatoarele:
   • RegEdit_RegEdit
   • Registry Editor
   • Folder Options
   • Local Settings

Urmatorul serviciu este dezactivat:
   • System Restore

Detaliile fisierului Limbaj de programare:
Limbaj de programare folosit: Visual Basic.

Description inserted by Adriana Popa on Tuesday, November 21, 2006
Description updated by Adriana Popa on Thursday, November 23, 2006

Back . . . .

Become an Avira Partner

Want to be the leading provider of small and medium business security? Become an Avira partner and offer your customers powerful, cost-effective security trusted by over 100 million users worldwide.

Discover the Avira Partner Program Enroll as an Avira partner today

Already a Partner?

. . . .

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools