Name:

Trojan.VBKrypt.kbb

Descr. Added:

April 10, 2012

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

When Trojan.VBKrypt.kbb is executed, it performs the following activities:

After execution, it drops the following files:

%UserProfile%\qr5i4eI0.exe
%UserProfile%\{Random name}.exe [copy of itself]
%UserProfile%\2qub.exe
%UserProfile%\7631.tmp
%UserProfile%\4qub.exe
%UserProfile%\yiavueh.exe
%UserProfile%\zueyoop.exe
%UserProfile%\sauipeh.exe
%UserProfile%\glbuav.exe
%UserProfile%\notes.exe
%AppData%\Microsoft\0082\056.exe
%AppData%\Microsoft\0082\7.tmp
%AppData%\Microsoft\0082\8.tmp
%AppData%\Microsoft\0082\9.tmp
%AppData%\20AE9\9D47.0AE
%AppData%\20AE9\C0000.exe
%AppData%\xipkbxbqziuy21xh3deqcqpvwjznz3ul2\svcnost.exe
%AppData%\E9D47\lvvm.exe
%AppData%\ntuser.dat

It creates the following files on each connected removable drive:

%Removable Drive%\autorun.inf
%Removable Drive%\x.mpeg
%Removable Drive%\{Random name}.exe [copy of itself]
%Removable Drive%\Secret.exe
%Removable Drive%\Sexy.exe
%Removable Drive%\yiavueh.exe
%Removable Drive%\RCXA.tmp
%Removable Drive%\Passwords.exe
%Removable Drive%\Porn.exe
%Removable Drive%\RCXD.tmp
%Removable Drive%\RCXE.tmp
%Removable Drive%\RCXF.tmp

It drops an 'AUTORUN.INF' file to execute itself automatically when the drives are accessed.
 
The AUTORUN.INF file contains the following strings:

[autorun]
OPEN={Random name}.exe
shell\open=´ò¿ª(&O)
shell\open\Command={Random name}.exe Show
shell\open\Default=1
shell\explore=×ÊÔ´¹ÜÀíÆ÷(&X)
shell\explore\Command={Random name}.exe Show

It creates/modifies the following registry entries:

{Random name} = "%UserProfile%\{Random name}.exe /Y"
HKU\Software\Microsoft\Windows\CurrentVersion\Run

056.exe = "%AppData%\Microsoft\0082\056.exe"
HKU\Software\Microsoft\Windows\CurrentVersion\Run