Win32/VB.NRO [Threat Name] go to Threat

Win32/VB.NRO [Threat Variant Name]

Category trojan,worm
Size 466944 B
Detection created Oct 27, 2008
Detection database version 3561
Aliases Trojan.Win32.VB.iju (Kaspersky)
  Vundo.gen.n.trojan (McAfee)
  Trojan:Win32/VB (Microsoft)
Short description

Win32/VB.NRO is a trojan which tries to download other malware from the Internet. The trojan is usually a part of other malware.

Installation

The trojan does not create any copies of itself. The trojan creates the following file:

  • %windir%\­system32\­%variable1%.exe (132608 B, Win32/VB.NTK)

The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­TypeLib\­{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\­132.0]
    • "(Default)" = "mdrwa"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\­132.0\­FLAGS]
    • "(Default)" = "0"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\­132.0\­0\­win32]
    • "(Default)" = "malwarefilepath"
  • [HKEY_CLASSES_ROOT\­TypeLib\­{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\­132.0\­HELPDIR]
    • "(Default)" = "%system%"
  • [HKEY_CLASSES_ROOT\­Interface\­{891FD0E4-F10F-42C4-AFD8-6F367A6CBA1A}]
    • "(Default)" = "kyf"
  • [HKEY_CLASSES_ROOT\­Interface\­{891FD0E4-F10F-42C4-AFD8-6F367A6CBA1A}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{891FD0E4-F10F-42C4-AFD8-6F367A6CBA1A}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{891FD0E4-F10F-42C4-AFD8-6F367A6CBA1A}\­TypeLib]
    • "(Default)" = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"
    • "Version" = "132.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{A0EC0508-FF35-4A08-83EA-706B1939D507}]
    • "(Default)" = "mjyyk"
  • [HKEY_CLASSES_ROOT\­Interface\­{A0EC0508-FF35-4A08-83EA-706B1939D507}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{A0EC0508-FF35-4A08-83EA-706B1939D507}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{A0EC0508-FF35-4A08-83EA-706B1939D507}\­TypeLib]
    • "(Default)" = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"
    • "Version" = "132.0"
  • [HKEY_CLASSES_ROOT\­Interface\­{BA5B5889-E2CE-4C1C-B8B7-52BC527DEB92}]
    • "(Default)" = "mjyyk"
  • [HKEY_CLASSES_ROOT\­Interface\­{BA5B5889-E2CE-4C1C-B8B7-52BC527DEB92}\­ProxyStubClsid]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{BA5B5889-E2CE-4C1C-B8B7-52BC527DEB92}\­ProxyStubClsid32]
    • "(Default)" = "{00020424-0000-0000-C000-000000000046}"
  • [HKEY_CLASSES_ROOT\­Interface\­{BA5B5889-E2CE-4C1C-B8B7-52BC527DEB92}\­TypeLib]
    • "(Default)" = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"
    • "Version" = "132.0"
  • [HKEY_CLASSES_ROOT\­CLSID\­{9D539D6D-0143-4E94-B7CB-4A7B9A99BB26}]
    • "(Default)" = "mdrwa.mjyyk"
  • [HKEY_CLASSES_ROOT\­CLSID\­{9D539D6D-0143-4E94-B7CB-4A7B9A99BB26}\­InprocServer32]
    • "(Default)" = "%malwarefilepath%"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{9D539D6D-0143-4E94-B7CB-4A7B9A99BB26}\­ProgID]
    • "(Default)" = "mdrwa.mjyyk"
  • [HKEY_CLASSES_ROOT\­CLSID\­{9D539D6D-0143-4E94-B7CB-4A7B9A99BB26}\­TypeLib]
    • "(Default)" = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{9D539D6D-0143-4E94-B7CB-4A7B9A99BB26}\­VERSION]
    • "(Default)" = "306.0"
  • [HKEY_CLASSES_ROOT\­mdrwa.mjyyk]
    • "(Default)" = "mdrwa.mjyyk"
  • [HKEY_CLASSES_ROOT\­mdrwa.mjyyk\­Clsid]
    • "(Default)" = "{9D539D6D-0143-4E94-B7CB-4A7B9A99BB26}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}]
    • "(Default)" = "mdrwa.kyf"
  • [HKEY_CLASSES_ROOT\­CLSID\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}\­ProgID]
    • "(Default)" - "mdrwa.kyf"
  • [HKEY_CLASSES_ROOT\­CLSID\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}\­InprocServer32]
    • "(Default)" = "%malwarefilepath%"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CLASSES_ROOT\­CLSID\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}\­TypeLib]
    • "(Default)" = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"
  • [HKEY_CLASSES_ROOT\­CLSID\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}\­VERSION]
    • "(Default)" = "306.0"
  • [HKEY_CLASSES_ROOT\­mdrwa.kyf]
    • "(Default)" = "mdrwa.kyf"
  • [HKEY_CLASSES_ROOT\­mdrwa.kyf\­Clsid]
    • "(Default)" = "{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­%variable2%]
    • "ImagePath" = "%windir%\­system32\­%variable1%.exe"
    • "Start" = 2
    • "Type" = 272

A string with variable content is used instead of %variable1-2% .


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{A31075F4-DED2-4C05-8B28-EE43AF4BBA04}]

This way the trojan injects its code into specific processes.


The following programs are affected:

  • explorer.exe
  • iexplore.exe
Spreading

Win32/VB.NRO is a trojan that can be spread via network exploiting vulnerabilities of the operating system.


The trojan generates various URL addresses.


It tries to connect to remote machine to port: TCP 135


The following usernames are used:

  • administrator
  • %null%

The following passwords are used:

  • 000000
  • 1
  • 11
  • 110
  • 111
  • 1111
  • 111111
  • 11111111
  • 112
  • 1122
  • 112233
  • 11223344
  • 119
  • 12
  • 123
  • 123123
  • 1233211234567
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1314
  • 1314520
  • 2008
  • 321
  • 4321
  • 520
  • 5201314
  • 54321
  • 654321
  • 666666
  • 8
  • 88
  • 888
  • 8888
  • 88888
  • 888888
  • 88888888
  • 987654321
  • a
  • aa
  • abc
  • abc123
  • abcd
  • admin
  • admin1
  • admin12
  • admin123
  • admin8
  • admin88
  • admin888
  • administrator
  • gg
  • mm
  • pass
  • passwd
  • password
  • qwerty
  • super

If it succeeds, a copy of the trojan is retrieved from the attacking machine.

Other information

Win32/VB.NRO is a trojan which tries to download other malware from the Internet.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (755) URLs. The HTTP, TCP protocol is used.


The trojan can create and run a new thread with its own program code within the following processes:

  • %comspec%
  • %programfiles%\­Internet Explorer\­iexplore.exe

The trojan can modify the following file:

  • %windir%\­system32\­drivers\­tcpip.sys

Please enable Javascript to ensure correct displaying of this content and refresh this page.