Win32/VBbot [Threat Name] go to Threat

Win32/VBbot.V [Threat Variant Name]

Category trojan
Size 155648 B
Detection created Feb 03, 2010
Detection database version 4833
Aliases Backdoor.Win32.VBbot.ek (Kaspersky)
  Backdoor.Trojan (Symantec)
  W32/Vulcanbot (McAfee)
Short description

The trojan contains a backdoor. It can be controlled remotely.

Installation

The trojan creates the following files:

  • %system%\­msconfig32.sys (1133 B)
  • %programfiles%\­Java\­jre6\­bin\­zf32.dll (28672 B)
  • %programfiles%\­Java\­jre6\­bin\­jucheck.exe (155648 B)
  • %appdata%\­msconfig32.sys (1133 B)
  • %appdata%\­Java\­jre6\­bin\­zf32.dll (28672 B)
  • %appdata%\­Java\­jre6\­bin\­jucheck.exe (155648 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Java online update program" = "%appdata%\­Java\­jre6\­bin\­jucheck.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­jucheck]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 2
    • "ImagePath" = "%programfiles%\­Java\­jre6\­bin\­jucheck.exe"
    • "DisplayName" = "Java online update program"
    • "DependOnService" = "RpcSs"
    • "DependOnGroup" = ""
    • "ObjectName" = "LocalSystem"
    • "Description" = "Java(TM) Update Checker. This service will check new update for your Java product."
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­jucheck\­Security]
    • "Security" = %hex_value%
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­jucheck\­Enum]
    • "0"="Root\­LEGACY_JUCHECK\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_JUCHECK]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_JUCHECK\­0000]
    • "Service" = "jucheck"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "Java online update program"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Enum\­Root\­LEGACY_JUCHECK\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "jucheck"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­Dhcp]
    • "DependOnService" = "jucheck"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­DnsCache]
    • "DependOnService" = "jucheck"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­lanmanworkstation]
    • "DependOnService" = "jucheck"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Minimal\­jucheck]
    • "(Default)" = "Service"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Network\­jucheck]
    • "(Default)" = "Service"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%programfiles%\­Java\­jre6\­bin\­jucheck.exe" = "%programfiles%\­Java\­jre6\­bin\­jucheck.exe:*:Enabled:Java(TM) Update Checker"

The performed data entry creates an exception in the Windows Firewall program.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of 4 URLs.


It can execute the following operations:

  • collect information about the operating system used
  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • capture screenshots
  • create files
  • delete cookies
  • create folders
  • delete folders

Please enable Javascript to ensure correct displaying of this content and refresh this page.