Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/VBKrypt.devc.1
Date discovered:03/06/2011
Type:Trojan
In the wild:Yes
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Medium
File size:49.152 Bytes
MD5 checksum:CF2445B2C06AF8757BB5C598F85BB22E
VDF version:7.11.08.254 - Friday, June 3, 2011
IVDF version:7.11.08.254 - Friday, June 3, 2011

 General Method of propagation:
   • Email
   • By visiting infected websites


Aliases:
   •  Symantec: W32.SillyIRC
   •  TrendMicro: WORM_NUSUMP.C
   •  Microsoft: Worm:Win32/Nusump


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows 7


Side effects:
   • Third party control
   • Disable security applications
   • Drops files
   • Registry modification
   • Uses its own Email engine
   • Steals information
   • Makes use of software vulnerability

 Files It copies itself to the following location:
   • %TEMPDIR%\%random character string%.exe



It deletes the initially executed copy of itself.



The following file is created:

%SYSDIR%\wbem\Logs\wbemprox.log Contains parameters used by the malware.

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
   {254F4E25-A65F-2764-0003-070806050704}]
   • "StubPath"="%TEMPDIR%\%random character string%.exe"

 Process termination List of processes that are terminated:
   • AvastSvc.exe
   • avgcsrvx.exe
   • avguard.exe
   • avgupd.exe
   • avp.exe
   • ccSvcHst.exe
   • ekrn.exe
   • mcupdate.exe
   • update.exe


 Backdoor Contact server:
The following:
   • 200.58.119.**********:443

As a result it may send information and remote control could be provided.

Sends information about:
    • Information about the Windows operating system


Remote control capabilities:
    • Send emails
    • Terminate process
    • Visit a website

 Injection – It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe

   If successful, the malware process terminates while the injected part remains active.

 Miscellaneous String:
Furthermore it contains the following strings:
   • select * from moz_logins
   • \Mozilla\Firefox\

 File details Programming language:
The malware program was written in Visual Basic.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Monday, August 1, 2011
Description updated by Andrei Ilie on Wednesday, August 3, 2011

Back . . . .