Virus:TR/Vb.akv
Date discovered:18/05/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium to high
Static file:Yes
File size:188.416 Bytes
MD5 checksum:fdd2e621aca76fd503535376e4063118
VDF version:6.34.01.99
IVDF version:6.34.01.101 - Thursday, May 18, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Trojan.Win32.VB.akz
   •  F-Secure: Trojan.Win32.VB.akz
   •  Eset: Win32/VB.AKZ
   •  Bitdefender: Trojan.Vb.AKZ


Side effects:
   • Disable security applications
   • Drops a file
   • Lowers security settings
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following locations:
   • %WINDIR%\jjakarta.exe
   • %HOME%\My Documents\ttrans.exe
   • %SYSDIR%\ooke.exe
   • %current directory%\%current directory name%.exe



It deletes the following files:
   • %current directory%\*.exe
   • %current directory%\*.txt
   • %current directory%\*.com
   • %current directory%\*.reg
   • %current directory%\*.inf
   • %current directory%\*.rar



The following files are created:

– A file that is for temporary use and it might be deleted afterwards:
   • %TEMPDIR%\~%hex number%.tmp

– %HOME%\My Documents\Baca.html

 Registry The following registry keys are added:

– [HKCU\Software\Microsoft\MS Setup (ACME)]
– [HKCU\Software\Microsoft\MS Setup (ACME)\User Info]
   • "DefCompany"="Terima kasih kepada Vaksin.Com"
   • "DefName"="Terima kasih kepada Vaksin.Com"



The following registry keys are changed:

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • "FullPath"=%user defined settings%
   New value:
   • "FullPath"=dword:00000001

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   Old value:
   • "FullPath"=%user defined settings%
   New value:
   • "FullPath"=dword:00000001

– [HKCR\Directory]
   Old value:
   • "InfoTip"="prop:DocComments"
   New value:
   • "InfoTip"=""
   • "TileInfo"=""

– [HKCR\Directory\DefaultIcon]
   Old value:
   • @="%SystemRoot%\System32\shell32.dll,3"
   New value:
   • @="%WINDIR%\jjakarta.exe"

– [HKCR\Folder]
   Old value:
   • "TileInfo"="prop:Size"
   New value:
   • "TileInfo"=""
   • "InfoTip"=""

– [HKCR\Folder\DefaultIcon]
   Old value:
   • @="%SystemRoot%\System32\shell32.dll,3"
   New value:
   • @="%WINDIR%\jjakarta.exe"

– [HKCR\exefile]
   Old value:
   • @="Application"
   • "TileInfo"="prop:FileDescription;Company;FileVersion"
   • "InfoTip"="prop:FileDescription;Company;FileVersion;Create;Size"
   New value:
   • @="File Folder"
   • "TileInfo"=""
   • "InfoTip"=""
   • "NeverShowExt"=""

– [HKCR\txtfile\shell\open\command]
   Old value:
   • @="%SystemRoot%\system32\NOTEPAD.EXE %1"
   New value:
   • @="%SYSDIR%\OOKE.EXE %1"

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "HideFileExt"=%user defined settings%
   • "ClassicViewState"=%user defined settings%
   • "SuperHidden"=%user defined settings%
   • "ShowSuperHidden"=%user defined settings%
   New value:
   • "HideFileExt"=dword:00000001
   • "ClassicViewState"=dword:00000001
   • "SuperHidden"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "HideFileExt"=%user defined settings%
   • "SuperHidden"=%user defined settings%
   • "ShowSuperHidden"=%user defined settings%
   • "ClassicViewState"=%user defined settings%
   New value:
   • "HideFileExt"=dword:00000001
   • "SuperHidden"=dword:00000001
   • "ShowSuperHidden"=dword:00000000
   • "ClassicViewState"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "DisableCAD"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Security Center]
   Old value:
   • "AntiVirusDisableNotify"=%user defined settings%
   • "FirewallDisableNotify"=%user defined settings%
   • "UpdatesDisableNotify"=%user defined settings%
   • "AntiVirusOverride"=%user defined settings%
   • "FirewallOverride"=%user defined settings%
   New value:
   • "AntiVirusDisableNotify"=dword:00000001
   • "FirewallDisableNotify"=dword:00000001
   • "UpdatesDisableNotify"=dword:00000001
   • "AntiVirusOverride"=dword:00000000
   • "FirewallOverride"=dword:00000000

Disable Regedit and Task Manager:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

Disable Regedit and Task Manager:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\
   Group Policy Objects\LocalUser\Software\Microsoft\Windows\
   CurrentVersion\Policies\System]
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\
   Group Policy Objects\LocalUser\Software\Microsoft\Windows\
   CurrentVersion\Policies\System]
   Old value:
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableRegistryTools"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
   Old value:
   • "RegisteredOrganization"=%user defined settings%
   • "RegisteredOwner"=%user defined settings%
   New value:
   • "RegisteredOrganization"="Terima kasih kepada Vaksin.Com"
   • "RegisteredOwner"="Terima kasih kepada Vaksin.Com"

Various Explorer settings:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
   Old value:
   • "NoFind"=%user defined settings%
   • "NoRun"=%user defined settings%
   New value:
   • "NoFind"=dword:00000001
   • "NoRun"=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • "NoFind"=%user defined settings%
   • "NoRun"=%user defined settings%
   New value:
   • "NoFind"=dword:00000001
   • "NoRun"=dword:00000001

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="explorer.exe"
   New value:
   • "Shell"="explorer.exe jjakarta.exe"

 Process termination Processes containing one of the following window titles are terminated:
   • windows task manager
   • search results


 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Adriana Popa on Friday, November 24, 2006
Description updated by Adriana Popa on Friday, November 24, 2006

Back . . . .