Win32/VB.OOB [Threat Name] go to Threat

Win32/VB.OOB [Threat Variant Name]

Category trojan,worm
Size 28000001 B
Detection created Oct 28, 2009
Detection database version 4552
Short description

Win32/VB.OOB is a trojan that deletes files in specific folders.

Installation

When executed, the trojan creates the following folders:

  • %windir%\­system32w
  • %windir%\­system32e
  • %windir%\­TR1

The following files are dropped:

  • %windir%\­system32w\­IOASAL.DLL
  • %windir%\­system32w\­smss.GELGG
  • %windir%\­system32w\­services.GELGG
  • %windir%\­system32w\­winlogon.GELGG
  • %windir%\­system32e\­services.exe
  • %windir%\­system32e\­TR07C.DLL

The trojan creates and runs a new thread with its own program code within the following processes:

  • smss.exe
Payload information

Win32/VB.OOB is a trojan that deletes files in specific folders. The trojan searches local drives for files with the following file extensions:

  • *.*

It avoids files which contain any of the following strings in their path:

  • %windir%
  • Local Setting
  • Application Data
  • Temp
  • RECYCLE
  • WINDOWS
  • Cookies
  • ntldr
  • NTLDR
  • .SYS
  • .sys
  • .BIN
  • .bin
  • .COM
  • .com
  • .BAT
  • .bat
  • .BAK
  • .bak
  • .db
  • .ini
  • .lnk
  • 0000
  • 0001
  • 0002
  • 0003
  • 0004
  • 0005
  • 0006
  • 0007
  • 0008
  • 0009
  • 000A
  • 000B
  • PJMA
  • PJMA_SD
  • .T-652D.PNG
  • .sts

When the trojan finds a file matching the search criteria, it creates a new file.


The file name and extension of the newly created file is derived from the original one.


An additional ".T-652D.PNG" extension is appended.


The file is JPEG image.


Some examples follow.

Size of the file is 21901 B, 305801 B .


The trojan then deletes found files.

Other information

The trojan may execute the following commands:

  • command.com /c ipconfig /all
  • command.com /c tracert www.google.co.jp
  • command.com /c tracert www.yahoo.co.jp
  • command.com /c tracert www.goo.ne.jp

Please enable Javascript to ensure correct displaying of this content and refresh this page.