Find a Partner
This window is encrypted for your security.
Need help? Ask the community or hire an expert.
Go to Avira Answers
In the wild:
Low to medium
- Friday, June 13, 2008
Method of propagation:
• Autorun feature
• Mcafee: W32/Vbbot
• Sophos: W32/AutoRun-FD
• Panda: W32/SdBot.LXF
• Eset: Win32/AutoRun.PU
• Bitdefender: Trojan.Vb.Autorun.AA
Platforms / OS:
• Windows 2000
• Windows XP
• Windows 2003
• Drops malicious files
• Registry modification
It copies itself to the following locations:
The following file is created:
\autorun.inf This is a non malicious text file with the following content:
%code that runs malware%
One of the following values is added in order to run the process after reboot:
• "LSA Shellu"="%HOME%\lsass.exe"
The following registry key is added:
– [HKCU\Software\VB and VBA Program Settings\rn1\r]
The following port is opened:
– svchost.exe on TCP port 5000 in order to provide backdoor capabilities.
– It injects itself as a thread into a process.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
Description inserted by Petre Galan on Thursday, March 11, 2010
Description updated by Petre Galan on Friday, March 12, 2010