| Malware name | Trojan.VB.aei | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 03F14BBAA5C8F52D354C1D5C86BE8005 | | Static file | no | | Filesize | 58,736 Bytes | Alias names
(also known as) | | Webwasher Proactive | Virus.Win32.FileInfector.gen | | Sophos | Mal/Generic-A | | McAfee | W32/Drowor |
| | Protection | | Webwasher Proactive | Database Version: 57 |
| | Side effects | - Drops files
- Registry modification
| | Propagation | Mapped network drives |
|
Description:
Files
It copies itself to the following location:
•
%drive%\
%all subdirectories% .scr
The following files are created:
– Non malicious files:
•
%malware execution directory%\Autoexec.bat
•
%drive%\Thumbs .db
–
%drive%\autorun.inf This is a non malicious text file with the following content:
•
%code that runs malware% Registry
The following registry keys are added:
– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
• "LegalNoticeCaption"="
%random character string% - Surabaya"
• "LegalNoticeText"="Surabaya in my birthday Don't kill me, i'm just send message from your computer
%random character string%"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\NOHIDDEN]
• "CheckedValue"=dword:00000002
• "DefaultValue"=dword:00000002
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
• "CheckedValue"=dword:00000000
• "DefaultValue"=dword:00000002
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\Hidden\SHOWALL]
• "CheckedValue"=dword:00000000
• "DefaultValue"=dword:00000002
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
Folder\HideFileExt]
• "CheckedValue"=dword:00000001
• "UncheckedValue"=dword:00000001
• "DefaultValue"=dword:00000001
File details
Programming language:
The malware program was written in Visual Basic.
