Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/VBKrypt.dhzd
Date discovered:09/06/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Medium
File size:536.064 Bytes
MD5 checksum:737C8ADD80E92CA17FEEDB27E205189D
VDF version:7.11.09.124 - Thursday, June 9, 2011
IVDF version:7.11.09.124 - Thursday, June 9, 2011

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: W32/Autorun.worm.h
   •  Kaspersky: Trojan.Win32.VBKrypt.dhzd
   •  Avast: Win32:VB-UXG [Trj]


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Server 2008


Side effects:
   • Disable security applications
   • Drops files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following locations:
   • %APPDATA%\Adobee\Protect.exe
   • %APPDATA%\%number%.exe



The following files are created:

%TEMPDIR%\ETpDS.bat Further investigation pointed out that this file is malware, too.
– %APPDATA%\data.dat This file contains collected keystrokes.



It tries to execute the following files:

– Filename:
   • REG
using the following command line arguments: ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "run32.exe" /t REG_SZ /d "%APPDATA%\Adobee\Protect.exe" /f


– Filename:
   • REG
using the following command line arguments: ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f ([32] %SYSDIR%\cmd.exe)


– Filename:
   • REG
using the following command line arguments: ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\User101\Application Data\Adobee\Protect.exe" /t REG_SZ /d "C:\Documents and Settings\User101\Application Data\Adobee\Protect.exe:*:Enabled:Windows Messanger" /f ([33] %SYSDIR%\cmd.exe)


– Filename:
   • REG
using the following command line arguments: ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f ([35] %SYSDIR%\cmd.exe)


– Filename:
   • REG
using the following command line arguments: ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Documents and Settings\User101\Application Data\3.exe" /t REG_SZ /d "C:\Documents and Settings\User101\Application Data\3.exe:*:Enabled:Windows Messanger" /f ([37] %SYSDIR%\cmd.exe)

 Registry The following registry keys are continuously in an infinite loop added in order to run the processes after reboot.

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   run]
   • "Win Defender"="%APPDATA%\%number%.exe"

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Win Defender"="%APPDATA%\%number%.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Win Defender"="%APPDATA%\%number%.exe"

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "run32.exe"="%APPDATA%\Adobee\Protect.exe"



The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile]
   • "DoNotAllowExceptions"=dword:00000000

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%APPDATA%\Adobee\Protect.exe"="%APPDATA%\Adobee\Protect.exe:*:Enabled:Windows Messanger"
   • "%APPDATA%\%number%.exe"="%APPDATA%\%number%.exe:*:Enabled:Windows Messanger"

 Backdoor The following port is opened:

– svchost.exe on UDP port 1033


Contact server:
The following:
   • xdanx3.no-ip.**********

As a result it may send information and remote control could be provided.

Sends information about:
    • Information about the Windows operating system


Remote control capabilities:
    • Perform DDoS attack
    • Start keylog

 Injection – It injects itself as a remote thread into a process.

    All of the following processes:
   • svchost.exe
   • explorer.exe


 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ilie on Monday, August 1, 2011
Description updated by Andrei Ilie on Tuesday, August 2, 2011

Back . . . .