Win64/Vabushky [Threat Name] go to Threat

Win64/Vabushky.A [Threat Variant Name]

Category trojan
Size 55808 B
Detection created Aug 12, 2013
Detection database version 8680
Aliases Trojan-Dropper.Win64.Vabushky.r (Kaspersky)
  Trojan:Win64/Alureon.L (Microsoft)
Short description

Win64/Vabushky.A is a trojan that encrypts files on local drives. The Win64/Vabushky.A can block access to operating system. The file is run-time compressed using MPRESS .


The trojan does not create any copies of itself.

The following files are dropped:

  • %temp%\­dll.dll
  • %windir%\­system32\­vBszKyhVp.dll
Information stealing

The trojan collects the following information:

  • specific file version
  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe
  • svchost.exe
  • winlogon.exe

To gain administrator access rights it attempts to exploit one of the following vulnerabilities:

  • CVE-2013-3660
  • CVE-2012-1864
  • CVE-2012-0217

The trojan contains a list of (5) URLs.

It tries to download several files from the addresses.

The files are stored in the following locations:

  • %windir%\­system32\­drivers\­vBszKyhV2.sys
  • %windir%\­system32\­vBszKyhV.dll
  • %windir%\­system32\­vBszKyhV1.exe
  • %windir%\­system32\­vBszKyhV2.exe
  • %windir%\­system32\­vBszKyhV.bmp

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­vBszKyhV]
    • "h" = %variable1%
    • "w" = %variable2%
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­vBszKyhV]
    • "id" = %variable3%
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­vBszKyhV2]
    • "Start" = 1
    • "Type" = 1
    • "ImagePath" = "%windir%\­system32\­drivers\­vBszKyhV2.sys"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Control\­safeboot\­minimal\­vBszKyhV2.sys]
    • "(Default)" = "driver"
  • [HKEY_LOCAL_MACHINESystem\­CurrentControlSet\­Control\­safeboot\­network\­vBszKyhV2.sys]
    • "(Default)" = "driver"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­vBszKyhV]
    • "Type" = "window"

A string with variable content is used instead of %variable1-3% .

The trojan executes the following command:

  • %windir%\­system32\­cmd.exe /C bcdedit.exe /set testsigning on

The trojan hides the windows of certain running applications.

The trojan encrypts files on local disks.

Trojan receives public key used for encryption from a remote machine.

It avoids files which contain any of the following strings in their path:

  • %windir%
  • Program Files
  • ProgramFiles
  • %temp%

It avoids files with the following extensions:

  • .AVI
  • .WMV
  • .AAF
  • .3GP
  • .ASF
  • .AVCHD
  • .DSH
  • .FLV
  • .M1V
  • .M2V
  • .FLA
  • .FLR
  • .SOL
  • .M4V
  • .MKV
  • .WRAP
  • .MNG
  • .mov
  • .mpeg
  • .mpg
  • .mpe
  • .MP4
  • .MXF
  • .ROQ
  • .NSV
  • .Ogg
  • .RM
  • .SVI
  • .SMI
  • .SWF

The extension of the encrypted files is changed to:

  • .crypted

To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

The trojan blocks access to operating system.

Please enable Javascript to ensure correct displaying of this content and refresh this page.