Win32/VB.PJM [Threat Name] go to Threat

Win32/VB.PJM [Threat Variant Name]

Category trojan
Size 20480 B
Detection created Oct 24, 2010
Detection database version 5559
Aliases Trojan.Win32.Refroso.decr (Kaspersky)
  Trojan:Win32/Bumat!rts (Microsoft)
  BackDoor.Bifrost.19155 (Dr.Web)
Short description

Win32/VB.PJM is a trojan that terminates specific applications. The file is run-time compressed using UPX .

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%malwarefilepath%"
Other information

Win32/VB.PJM is a trojan that terminates specific applications.


The trojan terminates all running processes that contain any of the following modules:

  • scp.dll
  • sshib.dll
  • gbie.dll

The trojan executes the following commands:

  • cmd /c echo s| cacls "%driveletter%:\­Program Files\­gbplugin\­*.*" /d administradores system todos
  • cmd /c echo s| cacls "%driveletter%:\­Program Files\­scpad\­*.*" /d administrad ores system todos
  • cmd /c echo s| cacls "%driveletter%:\­Program Files\­gbplugin\­" /d administradores system todos
  • cmd /c echo s| cacls "%driveletter%:\­Program Files\­scpad
  • cmd /c echo s| cacls "%driveletter%:\­WINDOWS\­Downloaded Program Files\­*gbp*.*\­" /d administradores
  • cmd /c echo s| cacls "%driveletter%:\­WINDOWS\­Downloaded Program Files\­*gbie*.*\­" /d administradores
  • cmd /c echo s| cacls "%driveletter%:\­WINDOWS\­Downloaded Program Files\­*CONFL*\­" /t /d administradores
  • cmd /c echo s| cacls "%driveletter%:\­WINDOWS\­system32\­drivers\­gbpkm.sys\­" /d administradores system
  • sc stop gbpkm
  • sc delete gbpkm
  • cmd /c taskkill /f /im gbpsv.exe

A string with variable content is used instead of %driveletter% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.