Win32/VB.PKO [Threat Name] go to Threat

Win32/VB.PKO [Threat Variant Name]

Category trojan
Size 2945024 B
Detection created Nov 16, 2010
Detection database version 5624
Aliases Backdoor.Win32.Whimoo.acq (Kaspersky)
  TROJ_SASFIS.AB (TrendMicro)
  Trojan.DbHunter.1 (Dr.Web)
Short description

Win32/VB.PKO is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %currentfolder%\­myodbc.zip (2418120 B)
  • %currentfolder%\­myodbc5.lib (25364 B)
  • %currentfolder%\­AUNZIP32.DLL (113152 B)
  • %currentfolder%\­myodbc.exe (163840 B)
  • %currentfolder%\­myodbc5.dll (2649600 B)
  • %currentfolder%\­AZIP32.DLL (140800 B)
  • %currentfolder%\­myodbc5S.dll (1874432 B)
  • %currentfolder%\­myodbc5S.lib (1932 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%filename%" = "%malwarepath%"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­ODBC\­ODBCINST.INI\­MySQL ODBC 5.1 Driver]
    • "UsageCount" = 1
    • "Driver" = "%system%\­myodbc5.dll"
    • "Setup" = "%system%\­myodbc5S.dll"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­ODBC\­ODBCINST.INI\­ODBC Drivers]
    • "MySQL ODBC 5.1 Driver" = "Installed"

The trojan modifies the following file:

  • %windir%\­ODBCINST.INI
Information stealing

The trojan collects various information when Internet Explorer is being used to access the following sites:

  • www.bradesco.com.br
  • www.cetelem.com.br
  • www.hotmail.com.br
  • hotmail.com.br
  • mail.live.com
  • login.live.com
  • www.locaweb.com.br
  • www.msn.com
  • br.msn.com
  • sitenet.serasa.com.br
  • terra.com.br
  • mail.terra.com.br
  • smail-mia.terra.com.br
  • acesso.uol.com.br
  • www.uol.com.br

The trojan collects the following information:

  • login name
  • login password

The trojan contains an URL address.


The trojan can send the information to a remote machine.

Other information

The trojan may create the following files:

  • C:\­AVS%variable%.log

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.