Win32/TrojanDropper.VB.NPT [Threat Name] go to Threat

Win32/TrojanDropper.VB.NPT [Threat Variant Name]

Category trojan
Size 73216 B
Aliases Trojan-Downloader.Win32.Agent.eefk (Kaspersky)
  TrojanDownloader:Win32/Bulilit.A (Microsoft)
Short description

Win32/TrojanDropper.VB.NPT is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself into the following location:

  • C:\­WINDOWS\­system32\­%filename%.exe

A string with variable content is used instead of %filename% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "RunmeAtStartup" = "C:\­WINDOWS\­system32\­%filename%.exe"

The trojan creates the following files:

  • %temp%\­svchost.exe (55577 B, Win32/AntiAV.NGX)
  • C:\­rec.bat

The files are then executed.

Other information

The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • editor
  • ethereal
  • c32asm
  • hex
  • hiew
  • ollyice
  • peid
  • sniff
  • ultraEdit
  • vmusrvc
  • vmware
  • VMwareTray.exe
  • w32dasm

The trojan contains a list of (6) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • C:\­WINDOWS\­system32\­%variable%.exe
  • C:\­WINDOWS\­system32\­%variable%.dll

A string with variable content is used instead of %variable% .


The HTTP protocol is used. The files are then executed.


The trojan may create the following files:

  • C:\­WINDOWS\­system32\­xvhost.sb

Please enable Javascript to ensure correct displaying of this content and refresh this page.