Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:04/10/2011
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low
VDF version:
IVDF version:

 General Method of propagation:
   • No own spreading routine

   •  Mcafee: VBObfus.bc
   •  Kaspersky: Worm.Win32.WBNA.pgy
   •  Bitdefender: Gen:Variant.VBKrypt.23
   •  Grisoft: Dropper.Generic4.BCRZ
   •  Eset: Win32/AutoRun.VB.AMM worm
   •  GData: Gen:Variant.VBKrypt.23
   •  Norman: Trojan W32/VBTroj.DAQZ

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7

Side effects:
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\%six-digit random character string%.exe

 Registry One of the following values is added in order to run the process after reboot:

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "%six-digit random character string%"="%HOME%\%six-digit random character string% /d"

The following registry keys are added in order to load the service after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   • "ShowSuperHidden"=dword:00000000

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS server is contacted:
   • ns1.**********

 File details Programming language:
The malware program was written in Visual Basic.

Description inserted by Wensin Lee on Wednesday, September 19, 2012
Description updated by Wensin Lee on Wednesday, September 19, 2012

Back . . . .