Virus:TR/Spy.VB.QU
Date discovered:13/03/2007
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
Static file:No
File size:189.692 Bytes
IVDF version:6.38.00.48 - Tuesday, March 13, 2007

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: W32.SillyFDC
   •  Mcafee: BackDoor-AKZ
   •  Kaspersky: Trojan-Spy.Win32.VB.qu
   •  TrendMicro: WORM_VB.CVY
   •  F-Secure: Trojan:W32/Agent.AHC
   •  Panda: Bck/Amitis.J
   •  Eset: Win32/Spy.VB.QU trojan
   •  Bitdefender: Trojan.Mailspam.J


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %TEMPDIR%\31550.exe
   • %SYSDIR%\odbcasvc.exe


Archiving:
It creates archives and stores files in them.

The following directory is searched:
   • %APPDATA%\Microsoft\Office\Recent\

The following file type is payed attention to:
   • .doc

The archives filename is the following:
   • %TEMPDIR%\%current date%_%current time%.uha



The following files are created:

– Non malicious files:
   • %SYSDIR%\uha.exe
   • %SYSDIR%\mswinsck.ocx

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\attachment%current date%_%current time%.tmp
   • %TEMPDIR%\mail.tmp

 Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\odbcasvc.exe
   • "DisplayName"="ODBC Administration Service"
   • "ObjectName"="LocalSystem"
   • "Description"="Microsoft Data Access - ODBC Administration Service"

– HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc\Security
   • Security"=%hex values%

– HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc\Enum
   • "0"="Root\\LEGACY_ODBCASVC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001



The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000
   • "Service"="odbcasvc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="ODBC Administration Service"

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000\
   Control
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="odbcasvc"



The following registry key is changed:

Various Explorer settings:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   Old value:
   • "NoDriveTypeAutoRun"=dword:0000009d
   New value:
   • "NoDriveTypeAutoRun"=dword:00000091

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender of the email is the following:
   • esmtp01@tom.com


To:
The recipient of the email is the following:
   • esmtp01@tom.com


Subject:
The following:
   • Spider%number%[%computer name%\%current
      username%]



Attachment:
The filename of the attachment is:
   • %current date%_%current time%.uha

The attachment is a copy of the created file: %TEMPDIR%\%current date%_%current time%.uha

 File details Programming language:
 The malware program was written in Visual Basic.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Alexander Neth on Friday, July 25, 2008
Description updated by Andrei Gherman on Friday, August 1, 2008

Back . . . .