Description complète

Virus:	TR/VB.BG
Date discovered:	03/03/2004
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Low to medium
Static file:	Yes
File size:	131.116 Bytes
MD5 checksum:	e4a6af3171e95e337527bbffc1201382
VDF version:	6.24.00.39

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Virus.Win32.VB.bg
   • F-Secure: Virus.Win32.VB.bg
   • Grisoft: Worm/VB.ZU
   • Eset: Win32/VB.DA

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

Files It copies itself to the following locations:
   • C:\mig2.exe
   • %WINDIR%\mig2.exe
   • %SYSDIR%\shell.exe
   • %SYSDIR%\MrHelloween.scr
   • %SYSDIR%\IExplorer.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SMSS.EXE
   • %drive%\Data %current username%.exe
   • %current directory%\%current directory name%.exe
   • %drive%\mig2\New Folder.exe

It creates the following directory:
   • %drive%\mig2

The following files are created:

– C:\Untukmu.txt This is a non malicious text file with the following content:
   • Untukmu

     Apa yang aku lakukan tak akan kau rasakan
     Apa yang kau lakukan tak akan aku rasakan
     Benar-benar jauh, jarak kita
     Aku terpaksa,lakukan ini krana kau yang mengawali..

     Senyummu adalah sedihku
     Sedihmu adalah tawaku

     Tangisku bukan milikmu
     Tangismu adalah milikku

     masih ada lagi yang ku kejar saat ini
     saat,ini aku akan mulai mengejar yang lain
     Lepaskan Dendam dan tawaku saat ini
     JUST, 4u MIG - MIG

– %WINDIR%\msvbvm60.dll
– %SYSDIR%\msvbvm60.dll
– %drive%\mig2\Folder.htt
– %drive%\desktop.ini

Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Logon%current username%"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
   • "System Monitoring"="%HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mig2"="%WINDIR%\mig2.exe"
   • "Service%current username%"="%HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
   • "MSMSGS"="%HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   New value:
   • "Shell"="Explorer.exe "%SYSDIR%\IExplorer.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\IExplorer.exe"

– [HKCR\exefile]
   Old value:
   • @="Application"
   New value:
   • @="File Folder"

– [HKCR\exefile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
   Old value:
   • "Auto"="1"
   • "Debugger"="drwtsn32 -p %ld -e %ld -g"
   New value:
   • "Auto"="1"
   • "Debugger"="%SYSDIR%\Shell.exe"

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   • "ShowSuperHidden"=%user defined settings%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Control Panel\Desktop]
   Old value:
   • "ScreenSaverIsSecure"="1"
   • "SCRNSAVE.EXE"=%user defined settings%
   New value:
   • "ScreenSaverIsSecure"="0"
   • "SCRNSAVE.EXE"="%SYSDIR%\MRHELL~1.SCR"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Old value:
   • "AlternateShell"="cmd.exe"
   New value:
   • "AlternateShell"="%WINDIR%\mig2.exe"

– [HKCR\lnkfile\shell\open\command]
   Old value:
   • @=" "%1" %*"
   New value:
   • @=" "%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\piffile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\batfile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\comfile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableCMD"=%user defined settings%
   • "DisableTaskMgr"=%user defined settings%
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableCMD"=dword:00000001
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • "NoFolderOptions"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   Old value:
   • "DisableConfig"=%user defined settings%
   • "DisableSR"=%user defined settings%
   New value:
   • "DisableConfig"=dword:00000001
   • "DisableSR"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   New value:
   • "LimitSystemRestoreCheckpointing"=dword:00000001
   • "DisableMSI"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   New value:
   • "FullPathAddress"=dword:00000001

Process termination List of processes that are terminated:
   • regedit.exe; AVP.exe; rtvscan.exe; NAV.exe; VSHWIN32.exe;
      ProcessManager.exe; RegistryEditor.exe; Msiexec.exe; avgemc.exe;
      nvcoas.exe; mcvsescn.exe; firefox.exe; TASKMGR.EXE; setup.exe;
      Opera.exe; avguad.exe.; avgnt.exe; killvb.exe; Msi.exe

Processes with one of the following strings are terminated:
   • ANT; BRO; VIR; TASK; REG; ASM; DBG; W32; BUG; HEX; DETEC; PROC; WALK;
      REST; AVS; OPTIONS; AVG; SYMANTEC; PANDA; MCAFEE; PC-CILLIN; F-PROT;
      KASPERSKY; VAKSIN; ANTI; VIRUS

Processes containing one of the following window titles are terminated:
   • RegEdit_RegEdit
   • Registry Editor
   • Folder Options
   • Local Settings

The following service is disabled:
   • System Restore

File details Programming language:
The malware program was written in Visual Basic.

Description insérée par Adriana Popa le mardi 21 novembre 2006
Description mise à jour par Adriana Popa le jeudi 23 novembre 2006

Retour . . . .

Produits phares

Plus de produits

Les plus populaires

Tous les produits

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils

Produits phares

Plus de produits

Les plus populaires

Tous les produits

Particuliers

Entreprises

Virus Lab

Support avancé

Programme Avira Partner

Particuliers

Entreprises

Une simple évaluation vous suffit ?

Manuels et outils