Virus:TR/VB.abuo
Date discovered:23/02/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:651.264 Bytes
MD5 checksum:274072bc83d87f4c0a797e5f0687420b
IVDF version:7.10.04.133 - Tuesday, February 23, 2010

 General Methods of propagation:
   • Autorun feature
   • Peer to Peer


Aliases:
   •  Sophos: Mal/VBInject-D
   •  Panda: Adware/AccesMembre
   •  Eset: Win32/Merond.O
   •  Bitdefender: Trojan.VB.Agent.EB


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\javajar.exe
   • %drive%\RECYCLER\%CLSID%\redmond.exe



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\RECYCLER\%CLSID%\Desktop.ini
%SYSDIR%\jconsole.exe



It tries to executes the following file:

– Filename:
   • "%SYSDIR%\jconsole.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdaterv12"="%SYSDIR%\javajar.exe"



The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • AVG8_TRAY
   • AVP
   • BDAgent
   • CAVRID
   • DrWebScheduler
   • F-PROT Antivirus Tray application
   • ISTray
   • K7SystemTray
   • K7TSStart
   • McENUI
   • MskAgentexe
   • OfficeScanNT Monitor
   • RavTask
   • SBAMTray
   • SCANINICIO
   • SpIDerMail
   • Spam Blocker for Outlook Express
   • SpamBlocker
   • Windows Defender
   • avast!
   • cctray
   • egui
   • sbamui



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\javajar.exe"="%SYSDIR%\javajar.exe:*:Enabled:Explorer"



The following registry keys are added:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   • "EnableLUA"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   • "juseful1"="%character string%"
   • "juseful2"="%character string%"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • e-cards@hallmark.com
   • invitations@hi5.com
   • invitations@twitter.com


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Jessica would like to be your friend on hi5!
   • You have received A Hallmark E-Card!
   • Your friend invited you to twitter!



Body:
– Contains HTML code.


Attachment:
The filename of the attachment is one of the following:
   • Invitation Card.zip
   • Postcard.zip

The attachment is an archive containing a copy of the malware itself.

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:   It retrieves the shared folder by querying the following registry key:
   • Software\eMule

   If successful, the following files are created:
   • Sophos antivirus updater bypass.exe; Twitter FriendAdder 2.1.1.exe;
      Ashampoo Snap 3.02.exe; Divx Pro 7 + keymaker.exe; CleanMyPC Registry
      Cleaner v6.02.exe; PDF to Word Converter 3.0.exe; Adobe Photoshop CS4
      crack.exe; Grand Theft Auto IV (Offline Activation).exe; Rapidshare
      Auto Downloader 3.8.exe; VmWare keygen.exe;
      Winamp.Pro.v7.33.PowerPack.Portable+installer.exe; Mp3 Splitter and
      Joiner Pro v3.48.exe; Norton Anti-Virus 2010 Enterprise Crack.exe;
      Image Size Reducer Pro v1.0.1.exe; McAfee Total Protection 2010.exe;
      Alcohol 120 v1.9.7.exe; DVD Tools Nero 10.5.6.0.exe; Myspace theme
      collection.exe; Absolute Video Converter 6.2.exe; K-Lite Mega Codec
      v5.5.1.exe; BitDefender AntiVirus 2010 Keygen.exe; Ad-aware 2010.exe;
      Super Utilities Pro 2009 11.0.exe; Microsoft.Windows 7 ULTIMATE FINAL
      activator+keygen x86.exe; Magic Video Converter 8 0 2 18.exe; Nero 9
      9.2.6.0 keygen.exe; Power ISO v4.2 + keygen axxo.exe; Windows2008
      keygen and activator.exe; Total Commander7 license+keygen.exe; K-Lite
      Mega Codec v5.6.1 Portable.exe; Daemon Tools Pro 4.11.exe; Anti-Porn
      v13.5.12.29.exe; Tuneup Ultilities 2010.exe; LimeWire Pro v4.18.3.exe;
      Motorola, nokia, ericsson mobil phone tools.exe; WinRAR v3.x keygen
      RaZoR.exe; Trojan Killer v2.9.4173.exe; Windows 7 Ultimate keygen.exe;
      Windows 2008 Enterprise Server VMWare Virtual Machine.exe; Windows XP
      PRO Corp SP3 valid-key generator.exe; Blaze DVD Player Pro v6.52.exe;
      PDF-XChange Pro.exe; YouTubeGet 5.4.exe; Norton Internet Security 2010
      crack.exe; Kaspersky AntiVirus 2010 crack.exe; Google SketchUp 7.1
      Pro.exe; PDF Unlocker v2.0.3.exe; Download Boost 2.0.exe; Avast 4.8
      Professional.exe; Adobe Acrobat Reader keygen.exe; VmWare 7.0
      keygen.exe; RapidShare Killer AIO 2010.exe; Internet Download Manager
      V5.exe; Youtube Music Downloader 1.0.exe; AnyDVD HD v.6.3.1.8 Beta
      incl crack.exe; Download Accelerator Plus v9.exe; G-Force Platinum
      v3.7.5.exe; Kaspersky Internet Security 2010 keygen.exe; PDF password
      remover (works with all acrobat reader).exe; Adobe Illustrator CS4
      crack.exe


 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://whatismyip.com/automation/n09230945.asp

 File details Programming language:
 The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, May 21, 2010
Description updated by Petre Galan on Friday, May 21, 2010

Back . . . .