Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/VBTroj

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload Disables the firewall
Detection files published 19 Nov 2009 03:00:00
Description created 10 Dec 2009 04:25:00
Description updated 10 Dec 2009 04:25:00
Malware type DROPPER
Alias Trojan:Win32/VB.ZZ
Trojan-Spy.Win32.Zbot.yfp
Generic.Dropper
Mal/VBDrop-F
Spreading mechanism
Summary

W32/VBTroj

Spreading

On execution, it drops a malware (W32/Zbot variant) in the %windir/system32% folder which would compromise the security settings and access a remote server without the user’s knowledge.
To make end-user unknown about the intrusion it does, it drops a executable file and a dummy video file usually in “.avi” format in the %windir/temp% location and opens up the Media player window with a message “Unable to open the file ****.avi”.
It hooks up to the winlogon.exe file so that it can be executed every time any user tries to logon to Windows profile. It also disables the Firewall to perform its backdoor activity.

Payload Details

On execution it drops a malicious file in the location,  %windir% \system32\twext.exe  and creates a folder in the location,
%Root%:\Documents and Settings\LocalService\Application Data\twain_32
This folder has a encrypted file “*****.ds? which contains all information collected by the malware namely stored passwords from protected storage in encrypted format and also certificates in the infected system.
It then hooks to svchost.exe which would send the contents of the “*****.ds? file to the remote server.
It creates the following registry entries to hook-onto “winlogon.exe? and to disable the firewall.
HKLM\Microsoft\Windows NT\CurrentVersion\Winlogon “Userinit"
Old data: C:\WINDOWS\system32\userinit.exe
New data: %windir%\system32\userinit.exe, %windir%\system32\twext.exe
HKLM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile "Enable Firewall"
Old data: 01, 00, 00, 00
New data: 00, 00, 00, 00

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14