Win32/VB.NTO [Threat Name] go to Threat

Win32/VB.NTO [Threat Variant Name]

Category trojan,worm
Size 180224 B
Detection created Dec 03, 2008
Detection database version 3661
Aliases Trojan.Win32.Swisyn.epr (Kaspersky)
  W32.SillyFDC (Symantec)
  Generic.dx!emo (McAfee)
Short description

Win32/VB.NTO is a worm that spreads by copying itself into the root folders of available drives.

Installation

When executed, the worm copies itself into the following location:

  • %windir%\­svchost.exe (180224 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­HideFileExt]
    • "Type" = "checkbox"
    • "Text" = "@shell32.dll,-30503"
    • "HKeyRoot" = 0x80000001
    • "RegPath" = "Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced"
    • "ValueName" = "HideFileExt"
    • "CheckedValue" = 0x00000001
    • "UncheckedValue" = 0x00000001
    • "DefaultValue" = 0x00000001
    • "HelpID" = "shell.hlp#51101"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "RegPath" = "Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced"
    • "Text" = "@shell32.dll,-30500"
    • "Type" = "radio"
    • "CheckedValue" = 0x00000000
    • "ValueName" = "Hidden"
    • "DefaultValue" = 0x00000002
    • "HKeyRoot" = 0x80000001
    • "HelpID" = "shell.hlp#51105"
Spreading

Win32/VB.NTO is a worm that spreads by copying itself into the root folders of available drives.


The name of the file may be based on the name of an existing file or folder.


An additional ".exe" extension is appended.

Other information

The worm creates the following files:

  • %windir%\­1.reg
  • %windir%\­2.reg

The worm executes the following commands:

  • cmd.exe /c regedit /s %windir%\­1.reg
  • cmd.exe /c regedit /s %windir%\­2.reg

The worm launches the following processes:

  • explorer.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.