Win32/VB.NXB [Threat Name] go to Threat

Win32/VB.NXB [Threat Variant Name]

Category trojan,worm
Size 647168 B
Aliases Trojan-Dropper.MSIL.StubRC.gym (Kaspersky)
  Worm:Win32/Ainslot.B (Microsoft)
  W32.Shadesrat (Symantec)
Short description

Win32/VB.NXB is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.


When executed, the worm copies itself into the following location:

  • %startup%\­%originalfilename%

This causes the worm to be executed on every system start.

The following files are dropped into the %appdata% folder:

  • svchost.exe (12288 B)
  • bot.exe (12288 B)
  • data.dat

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile]
    • "DoNotAllowExceptions" = 0
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­svchost.exe" = "%appdata%\­svchost.exe:*:Enabled:Windows Messanger"
    • "%appdata%\­bot.exe" = "%appdata%\­bot.exe:*:Enabled:Windows Messanger"
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­INSTALL\­DATE]
    • "6AQPX80JHM" = %variable%
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­SrvID\­ID]
    • "6AQPX80JHM" = "blackshades"

A string with variable content is used instead of %variable% .

Spreading on removable media

The worm may create copies of itself using the following filenames:

  • %removabledrive%\­%variable%.exe

A string with variable content is used instead of %variable% .

The following file is dropped in the same folder:

  • autorun.ini
Other information

The worm acquires data and commands from a remote computer or the Internet. The worm contains an URL address.

The worm can be used to gain full access to the compromised computer.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • run executable files
  • terminate running processes
  • perform DoS/DDoS attacks
  • redirect network traffic
  • delete Registry entries
  • capture screenshots
  • create Registry entries
  • delete Registry entries
  • set file attributes
  • send open TCP and UDP port numbers to a remote computer
  • send the list of disk devices and their type to a remote computer
  • various file system operations
  • delete cookies
  • collect information about the operating system used
  • stop itself for a certain time period
  • log keystrokes
  • capture webcam video/voice
  • send gathered information

The following information is collected:

  • information about the operating system and system settings
  • network adapter information
  • antivirus software detected on the affected machine
  • Mozilla Firefox account information
  • list of running processes

Please enable Javascript to ensure correct displaying of this content and refresh this page.