Win32/VB.QHS [Threat Name] go to Threat

Win32/VB.QHS [Threat Variant Name]

Category trojan
Size 73897 B
Detection created Jan 02, 2012
Detection database version 6760
Aliases Trojan.Win32.Scar.fwsf (Kaspersky)
  Trojan:Win32/Sulunch (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/VB.QHS is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed the trojan copies itself in the following locations:

  • D:\­Updates.exe
  • D:\­Backup.exe

The trojan may create copies of itself using the following filenames:

  • %variable%.exe
  • %username%'s Files.exe
  • Passwords.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Updates" = "D:\­Updates.exe"
    • "Backup" = "D:\­Backup.exe"

The trojan also searches for folders on local drives.


When the trojan finds a folder matching the search criteria, it creates a new copy of itself.


The name of the new file is based on the name of the folder found in the search.


The extension of the file is ".exe" .


Information stealing

Win32/VB.QHS is a trojan that steals sensitive information.


The trojan is able to log keystrokes.


The collected information is stored in the following file:

  • D:\­Windows.dll

The trojan sends the information via e-mail. The trojan contains a list of (2) addresses.

Other information

The following programs are terminated:

  • msconfig.exe
  • Taskmgr.exe
  • regedit.exe
  • reg.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.