Win32/Vbolabot [Threat Name] go to Threat

Win32/Vbolabot.A [Threat Variant Name]

Category trojan
Size 546304 B
Detection created Jan 28, 2014
Detection database version 9348
Aliases Trojan.Win32.Yakes.fgzt (Kaspersky)
  Trojan:Win32/Malagent!gmb (Microsoft)
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan collects information used to access certain sites.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­%variable%\­%variable%.exe

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%.exe" = "%appdata%\­%variable%\­%variable%.exe"

The following file is dropped:

  • %appdata%\­%variable%\­%variable%.exe.manifest

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%appdata%\­%variable%\­%variable%.exe" = "%appdata%\­%variable%\­%variable%.exe":*:Enabled:%variable%

The performed data entry creates an exception in the Windows Firewall program.

Information stealing

Win32/Vbolabot.A is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • computer name
  • operating system version

The trojan collects information used to access certain sites.


The following keywords are monitored:

  • PayPal
  • Amazon

The trojan attempts to send gathered information to a remote machine.

Spreading

Win32/Vbolabot.A is a trojan that posts messages to user profiles on social networks.


The following social networking sites are affected:

  • Facebook
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (14) URLs. The HTTP protocol is used.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • capture screenshots
  • log keystrokes
  • set up a proxy server
  • show fake alerts
  • create posts on social networks
  • update itself to a newer version
  • send gathered information

The trojan can use the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan terminates any program that creates a window containing any of the following strings in its name:

  • - Bitdefender
  • - PANDA SECURITY
  • | McAfee
  • | Norton Security
  • |Bitdefender
  • avast!
  • avast! Online
  • AVG -
  • ESET Online Scanner
  • Free Virus Scan
  • F-Secure -
  • Jottis Malw
  • Kaspersky Lab:
  • Malwarebytes
  • Online antivir
  • Online Virus Scan
  • slokadd.exe
  • VirSCAN.org
  • Virustotal
  • VirusTotal

The trojan can terminate the following processes:

  • WerFault.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.