Win32/VB.NTK [Threat Name] go to Threat

Win32/VB.NTK [Threat Variant Name]

Category trojan,worm
Size 132608 B
Detection created Nov 29, 2008
Detection database version 3651
Aliases Trojan:Win32/VB (Microsoft)
Short description

Win32/VB.NTK is a trojan that installs Win32/VB.NRO malware.

Installation

When executed, the trojan creates the following files:

  • %system%\­%variable1%.dll (466940 B, Win32/VB.NRO)

The trojan copies itself to the following location:

  • %system%\­%variable2%.exe

A string with variable content is used instead of %variable1-2% .


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­System\­Scripts\­Shutdown\­0\­0]
    • "Script" = "%malwarefilepath%"
    • "Parameters" = "13835"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­System\­Scripts\­Shutdown\­0]
    • "FileSysPath"  = "%currentfolder%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Group Policy\­State\­Machine\­Scripts\­Shutdown\­0\­0]
    • "Script" = "%malwarefilename%"
    • "Parameters" = "13835"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Group Policy\­State\­Machine\­Scripts\­Shutdown\­0]
    • "FileSysPath" = "%currentfolder%"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}]

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • iexplore.exe

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­Lsa]
    • "limitblankpassworduse" = 1
    • "forceguest" = 1
    • "RestrictAnonymous" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Ole]
    • "EnableDCOM" = "Y"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Rpc]
    • "DCOM Protocols" = "%originalvalue% ncacn_ip_tcp"

The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­System\­Scripts\­Shutdown\­0\­0]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows\­System\­Scripts\­Shutdown\­0]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Group Policy\­State\­Machine\­Scripts\­Shutdown\­0\­0]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Group Policy\­State\­Machine\­Scripts\­Shutdown\­0]

The trojan may execute the following commands:

  • cmd.exe /c del "%malwarefilepath%"
  • explorer /n,/e"

The trojan may delete the following files:

  • c:\­*.vbs

Please enable Javascript to ensure correct displaying of this content and refresh this page.