Virus:DR/PSW.VB.JI
Date discovered:26/02/2007
Type:Dropper
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
Static file:Yes
File size:3.482.304 Bytes
MD5 checksum:a51e4cf019c203f7b5d56e673bb751e4
VDF version:6.37.01.162

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Panda: Trj/Downloader.MDW


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Drops a malicious file
   • Registry modification

 Files  It creates the following directory:
   • %PROGRAM FILES%\ParentsFriend



The following files are created:

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\INS%number%.tmp
   • %TEMPDIR%\is-%random character string%.tmp\SMRunApp.exe

%SYSDIR%\comsysh.exe
%PROGRAM FILES%\ParentsFriend\pfunzip.exe
%SYSDIR%\Mswinsck.ocx
%SYSDIR%\zip32.dll
%SYSDIR%\unzip32.dll
%PROGRAM FILES%\ParentsFriend\system.pfs
%PROGRAM FILES%\ParentsFriend\noporno.pfs
%PROGRAM FILES%\ParentsFriend\nodownload.pfs
%PROGRAM FILES%\ParentsFriend\noinstall.pfs
%SYSDIR%\PF.hlp
%SYSDIR%\Tabctl32.ocx
%SYSDIR%\beegd10.ocx
%PROGRAM FILES%\ParentsFriend\regbeegd10.bat
%SYSDIR%\winadmd.exe
%SYSDIR%\winadmkill.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.VB.JI

%PROGRAM FILES%\ParentsFriend\pfadmin.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: TR/PSW.VB.JI

%SYSDIR%\winadm.exe
%SYSDIR%\winprogdel.exe
%SYSDIR%\Msinet.ocx
%SYSDIR%\Regsvr16.exe

 Registry The following registry keys are added:

– [HKLM\Software\winadm]
   • unins="%PROGRAM FILES%\ParentsFriend"

– [HKCR\StingaBeeGrid10.Grid]
   • (Default)="Stinga BeeGrid Control (Icursor)"

– [HKCR\StingaBeeGrid10.Grid\CLSID]
   • (Default)="{97BD7A13-77E0-11D2-8EAE-008048E27A77}"

– [HKCR\CLSID\{97BD7A13-77E0-11D2-8EAE-008048E27A77}\
   VersionIndependentProgID]
   • (Default)="StingaBeeGrid10.Grid"

– [HKCR\CLSID\{97BD7A13-77E0-11D2-8EAE-008048E27A77}\InprocServer32]
   • (Default)="%SYSDIR%\beegd10.ocx"
   • ThreadingModel="Apartment"

– [HKCR\CLSID\{97BD7A13-77E0-11D2-8EAE-008048E27A77}\ToolboxBitmap32]
   • (Default)="%SYSDIR%\beegd10.ocx, 1"

– [HKCR\TypeLib\{97BD7A05-77E0-11D2-8EAE-008048E27A77}\1.0\0\win32]
   • (Default)="%SYSDIR%\beegd10.ocx"

– [HKCR\TypeLib\{97BD7A05-77E0-11D2-8EAE-008048E27A77}\1.0\HELPDIR]
   • (Default)="%SYSDIR%\"

– [HKCR\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\InprocServer32]
   • (Default)="%SYSDIR%\Msinet.ocx"
   • ThreadingModel="Apartment"

– [HKCR\CLSID\{48E59295-9880-11CF-9754-00AA00C00908}]
   • (Default)="Internet Control URL Property Page Object"



The following registry keys are changed:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs]
   New value:
   • %SYSDIR%\comcat.dll=dword:00000004

– [HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
   New value:
   • (Default)="Microsoft Winsock Control 6.0 (SP4)"

– [HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
   New value:
   • (Default)="%SYSDIR%\Mswinsck.ocx"

– [HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
   New value:
   • (Default)="%SYSDIR%\"

– [HKCR\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32]
   New value:
   • (Default)="%SYSDIR%\stdole2.tlb"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs]
   New value:
   • %SYSDIR%\Mswinsck.ocx=dword:00000001
     %SYSDIR%\Msinet.ocx=dword:00000001

Description inserted by Alexandru Dinu on Friday, October 5, 2007
Description updated by Alexandru Dinu on Friday, October 5, 2007

Back . . . .