TR/Spy.VB.QU - Trojan

See also

Summary

Full description

Statistics

Virus:	TR/Spy.VB.QU
Date discovered:	13/03/2007
Type:	Trojan
In the wild:	Yes
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	No
File size:	189.692 Bytes
IVDF version:	6.38.00.48 - Tue, 13 Mar 2007 15:27 (GMT+1)

General Method of propagation:
   • No own spreading routine

Aliases:
   • Symantec: W32.SillyFDC
   • Mcafee: BackDoor-AKZ
   • Kaspersky: Trojan-Spy.Win32.VB.qu
   • TrendMicro: WORM_VB.CVY
   • F-Secure: Trojan:W32/Agent.AHC
   • Panda: Bck/Amitis.J
   • Eset: Win32/Spy.VB.QU trojan
   • Bitdefender: Trojan.Mailspam.J

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops files
   • Uses its own Email engine
   • Lowers security settings
   • Registry modification
   • Steals information

Files It copies itself to the following locations:
   • %TEMPDIR%\31550.exe
   • %SYSDIR%\odbcasvc.exe

Archiving:
It creates archives and stores files in them.

The following directory is searched:
   • %home%\Application Data\Microsoft\Office\Recent\

The following file type is payed attention to:
   • .doc

The archives filename is the following:
   • %TEMPDIR%\%current date%_%current time%.uha

The following files are created:

– Non malicious files:
   • %SYSDIR%\uha.exe
   • %SYSDIR%\mswinsck.ocx

– Temporary files that might be deleted afterwards:
   • %TEMPDIR%\attachment%current date%_%current time%.tmp
   • %TEMPDIR%\mail.tmp

Registry The following registry keys are added in order to load the service after reboot:

– HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc
   • "Type"=dword:00000010
   • "Start"=dword:00000002
   • "ErrorControl"=dword:00000001
   • "ImagePath"=%SYSDIR%\odbcasvc.exe
   • "DisplayName"="ODBC Administration Service"
   • "ObjectName"="LocalSystem"
   • "Description"="Microsoft Data Access - ODBC Administration Service"

– HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc\Security
   • Security"=%hex values%

– HKLM\SYSTEM\CurrentControlSet\Services\odbcasvc\Enum
   • "0"="Root\\LEGACY_ODBCASVC\\0000"
   • "Count"=dword:00000001
   • "NextInstance"=dword:00000001

The following registry keys are added:

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC
   • "NextInstance"=dword:00000001

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000
   • "Service"="odbcasvc"
   • "Legacy"=dword:00000001
   • "ConfigFlags"=dword:00000000
   • "Class"="LegacyDriver"
   • "ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
   • "DeviceDesc"="ODBC Administration Service"

– HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ODBCASVC\0000\
   Control
   • "*NewlyCreated*"=dword:00000000
   • "ActiveService"="odbcasvc"

The following registry key is changed:

Various Explorer settings:
– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   Old value:
   • "NoDriveTypeAutoRun"=dword:0000009d
   New value:
   • "NoDriveTypeAutoRun"=dword:00000091

Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:

From:
The sender of the email is the following:
   • esmtp01@tom.com

To:
The recipient of the email is the following:
   • esmtp01@tom.com

Subject:
The following:
   • Spider%number%[%computer name%\%current
      username%]

Attachment:
The filename of the attachment is:
   • %current date%_%current time%.uha

The attachment is a copy of the created file: %TEMPDIR%\%current date%_%current time%.uha

File details Programming language:
The malware program was written in Visual Basic.
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Alexander Neth on Fri, 25 Jul 2008 08:28 (GMT+1)
Description updated by Andrei Gherman on Fri, 01 Aug 2008 14:34 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back