Win32/VB.NIY [Threat Name] go to Threat

Win32/VB.NIY [Threat Variant Name]

Category trojan,worm
Size 73728 B
Aliases Trojan.Win32.VB.ahqj (Kaspersky)
  TrojanDownloader:Win32/VB.AAP (Microsoft)
  Trojan.DownLoad1.50077 (Dr.Web)
Short description

Win32/VB.NIY is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .


When executed, the trojan copies itself into the following location:

  • %temp%\­geurge.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ewrgetuj" = "%temp%\­geurge.exe"

The following file is dropped:

  • C:\­tujserrew.bat

The file is then executed.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan executes the following commands:

  • net.exe stop "Security Center"
  • sc config wscsvc start=DISABLED
  • net.exe stop "Windows Firewall/Internet Connection Sharing (ICS)"
  • sc config SharedAccess start=DISABLED

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

The trojan can download and execute a file from the Internet.

The trojan may create the following files:

  • %temp%\­G_%variable%.ini
  • %temp%\­segh3h43.tmp
  • %temp%\­eh3wu4h3hw.ini
  • %variable%.exe

A string with variable content is used instead of %variable% .

The trojan collects the following information:

  • network adapter information
  • volume serial number

The trojan can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.