Win32/VB.RPS [Threat Name] go to Threat

Win32/VB.RPS [Threat Variant Name]

Category trojan
Size 299008 B
Detection created Sep 03, 2014
Detection database version 10361
Aliases VB2.AFXO (AVG)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­taskhost.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "C:\­Windows\­system32\­userinit.exe,%windir%\­taskhost.exe /boot"
Information stealing

The trojan collects the following information:

  • computer name
  • operating system version
  • network adapter information
  • volume serial number

The trojan attempts to send gathered information to a remote machine.


Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (6) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • perform DoS/DDoS attacks
  • update itself to a newer version
  • open a specific URL address

The trojan may delete the following files:

  • %temp%\­wiUpdater.exe
  • %windir%\­dllhostex.exe
  • %windir%\­taskhost.exe
  • %windir%\­System32\­taskhostsv.exe
  • %windir%\­wscript.exe

The trojan may create copies of the following files (source, destination):

  • %malwarefolder%\­idmpatcher.exe, %windir%\­dllhostex.exe
  • %temp%\­wiUpdater.exe, %windir%\­taskhost.exe

The trojan keeps various information in the following files:

  • %appdata%\­win.dat
  • %appdata%\­list%variable%.dat

A string with variable content is used instead of %variable% .


The trojan may display the following dialog windows:

Please enable Javascript to ensure correct displaying of this content and refresh this page.