Virus:TR/VB.BG
Date discovered:03/03/2004
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:131.116 Bytes
MD5 checksum:e4a6af3171e95e337527bbffc1201382
VDF version:6.24.00.39

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Kaspersky: Virus.Win32.VB.bg
   •  F-Secure: Virus.Win32.VB.bg
   •  Grisoft: Worm/VB.ZU
   •  Eset: Win32/VB.DA


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops files
   • Lowers security settings
   • Registry modification

 Files It copies itself to the following locations:
   • C:\mig2.exe
   • %WINDIR%\mig2.exe
   • %SYSDIR%\shell.exe
   • %SYSDIR%\MrHelloween.scr
   • %SYSDIR%\IExplorer.exe
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Empty.pif
   • %HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE
   • %HOME%\Local Settings\Application Data\WINDOWS\SMSS.EXE
   • %drive%\Data %current username%.exe
   • %current directory%\%current directory name%.exe
   • %drive%\mig2\New Folder.exe



It creates the following directory:
   • %drive%\mig2



The following files are created:

– C:\Untukmu.txt This is a non malicious text file with the following content:
   • Untukmu
     
     Apa yang aku lakukan tak akan kau rasakan
     Apa yang kau lakukan tak akan aku rasakan
     Benar-benar jauh, jarak kita
     Aku terpaksa,lakukan ini krana kau yang mengawali..
     
     Senyummu adalah sedihku
     Sedihmu adalah tawaku
     
     Tangisku bukan milikmu
     Tangismu adalah milikku
     
     masih ada lagi yang ku kejar saat ini
     saat,ini aku akan mulai mengejar yang lain
     Lepaskan Dendam dan tawaku saat ini
     JUST, 4u MIG - MIG

%WINDIR%\msvbvm60.dll
%SYSDIR%\msvbvm60.dll
%drive%\mig2\Folder.htt
%drive%\desktop.ini

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Logon%current username%"="%HOME%\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
   • "System Monitoring"="%HOME%\Local Settings\Application Data\WINDOWS\LSASS.EXE"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "mig2"="%WINDIR%\mig2.exe"
   • "Service%current username%"="%HOME%\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
   • "MSMSGS"="%HOME%\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   New value:
   • "Shell"="Explorer.exe "%SYSDIR%\IExplorer.exe""
   • "Userinit"="%SYSDIR%\userinit.exe,%SYSDIR%\IExplorer.exe"

– [HKCR\exefile]
   Old value:
   • @="Application"
   New value:
   • @="File Folder"

– [HKCR\exefile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug]
   Old value:
   • "Auto"="1"
   • "Debugger"="drwtsn32 -p %ld -e %ld -g"
   New value:
   • "Auto"="1"
   • "Debugger"="%SYSDIR%\Shell.exe"

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   Old value:
   • "Hidden"=%user defined settings%
   • "HideFileExt"=%user defined settings%
   • "ShowSuperHidden"=%user defined settings%
   New value:
   • "Hidden"=dword:00000000
   • "HideFileExt"=dword:00000001
   • "ShowSuperHidden"=dword:00000000

– [HKCU\Control Panel\Desktop]
   Old value:
   • "ScreenSaverIsSecure"="1"
   • "SCRNSAVE.EXE"=%user defined settings%
   New value:
   • "ScreenSaverIsSecure"="0"
   • "SCRNSAVE.EXE"="%SYSDIR%\MRHELL~1.SCR"

– [HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot]
   Old value:
   • "AlternateShell"="cmd.exe"
   New value:
   • "AlternateShell"="%WINDIR%\mig2.exe"

– [HKCR\lnkfile\shell\open\command]
   Old value:
   • @=" "%1" %*"
   New value:
   • @=" "%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\piffile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\batfile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

– [HKCR\comfile\shell\open\command]
   Old value:
   • @=""%1" %*"
   New value:
   • @="%SYSDIR%\shell.exe" "%1" %*"

Disable Regedit and Task Manager:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   Old value:
   • "DisableCMD"=%user defined settings%
   • "DisableTaskMgr"=%user defined settings%
   • "DisableRegistryTools"=%user defined settings%
   New value:
   • "DisableCMD"=dword:00000001
   • "DisableTaskMgr"=dword:00000001
   • "DisableRegistryTools"=dword:00000001

Various Explorer settings:
– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   Old value:
   • "NoFolderOptions"=%user defined settings%
   New value:
   • "NoFolderOptions"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
   Old value:
   • "DisableConfig"=%user defined settings%
   • "DisableSR"=%user defined settings%
   New value:
   • "DisableConfig"=dword:00000001
   • "DisableSR"=dword:00000001

– [HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer]
   New value:
   • "LimitSystemRestoreCheckpointing"=dword:00000001
   • "DisableMSI"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\
   CabinetState]
   New value:
   • "FullPathAddress"=dword:00000001

 Process termination List of processes that are terminated:
   • regedit.exe; AVP.exe; rtvscan.exe; NAV.exe; VSHWIN32.exe;
      ProcessManager.exe; RegistryEditor.exe; Msiexec.exe; avgemc.exe;
      nvcoas.exe; mcvsescn.exe; firefox.exe; TASKMGR.EXE; setup.exe;
      Opera.exe; avguad.exe.; avgnt.exe; killvb.exe; Msi.exe

Processes with one of the following strings are terminated:
   • ANT; BRO; VIR; TASK; REG; ASM; DBG; W32; BUG; HEX; DETEC; PROC; WALK;
      REST; AVS; OPTIONS; AVG; SYMANTEC; PANDA; MCAFEE; PC-CILLIN; F-PROT;
      KASPERSKY; VAKSIN; ANTI; VIRUS

Processes containing one of the following window titles are terminated:
   • RegEdit_RegEdit
   • Registry Editor
   • Folder Options
   • Local Settings


The following service is disabled:
   • System Restore

 File details Programming language:
 The malware program was written in Visual Basic.

Description inserted by Adriana Popa on dinsdag 21 november 2006
Description updated by Adriana Popa on donderdag 23 november 2006

Terug . . . .

© 2013 Avira Operations GmbH & Co. KG. Alle rechten voorbehouden.

Mijn Account

https:// Dit venster is voor uw veiligheid gecodeerd.