Win32/VB.RZA [Threat Name] go to Threat

Win32/VB.RZA [Threat Variant Name]

Category trojan
Size 45056 B
Detection created Jul 02, 2015
Detection database version 11879
Aliases Trojan-Dropper.Win32.Dapato.nvvl (Kaspersky)
  Variant.Graftor.196263 (BitDefender)
Short description

Win32/VB.RZA is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­WinKun\­winkun.exe (45056 B)

The trojan executes the following command:

  • taskkill.exe /f /t /im winkun.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "bparse" = "%appdata%\­WinKun\­winkun.exe"

The trojan may create the following files:

  • %appdata%\­WinKun\­udata\­%variable1%\­%variable2%.dat

A string with variable content is used instead of %variable1-2% .

Information stealing

The trojan collects information used to access certain sites.


The trojan opens the following URLs:

  • https://google.com/?q=%number%&num=100

A variable numerical value is used instead of %number% .


The following keywords are monitored:

  • /xmlrpc.php
  • /wp-login.php
  • wp-submit

The trojan attempts to send gathered information to a remote machine.


The trojan contains a URL address. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.