Trojan:Win32/VB.DE modifies system settings and displays false spyware detection warnings to affected users. It is installed by
TrojanDropper:Win32/VB.BE. The trojan also utilizes a BHO component, detected as Trojan:Win32/VB.DE.dll.
Installation
After being installed by
TrojanDropper:Win32/VB.BE, this trojan modifies the registry to ensure that its executable is run at each Windows start:
- Adds value: "Userinit"
With data: v,<system folder>\userinit.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon - Adds value: "Userinit"
With data: "<system folder>\<random 8 letters>.exe,<system folder>\userinit.exe"
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Displays False and Misleading Messages
The trojan creates a series of files that masquerade as Spyware infections. For example:
- %program_files%\3721\helper.dll
- %program_files%\3721\assist\asbar.dll
- %windir%\pbar.dll
- %program_files%\akl\unsetup.exe
- %program_files%\p2pnetworks\amp2pl.exe
Note: These files are harmless.
Modifies System Settings
The trojan changes the user's background by creating the following files:
- <application data>\microsoft\internet explorer\desktop.htt
- %windir%\default.htm
and then modifying the following registry entries:
- Sets value: "BackupWallpaper"
With data: "%systemroot%\web\wallpaper\bliss.bmp"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General - Sets value: "DeskHtmlVersion"
With data: "272"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components - Sets value: "Source"
With data: "about:home"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0
Modifies Browser Behavior
The BHO component, Trojan:Win32/VB.DE.dll, redirects user searches that either contain the following strings:
! Spy Sniper - Advanced Spyware Remover
007 Agent Antispyware
100% Anti-Spyware
1Click Spyclean
2007 Antivirus Shield
2007 Antivirus/Firewall Pro
Acronis Privacy Expert Corporate
Active Shield
Adprotect
Advanced Anti Keylogger
Advanced Anti Spy+
Advanced Spyware Remover Pro - Junk Remover
Adware Deluxe
Adware Killer
Adware Remover
AdwareX Eliminator
AFS Antispyware
aivskurq.dll
AMacro AntiVirus
Anti Identity Theft
Anti Spyware Defence
Anti Trojan Elite-
Anti Virus - Spyware remover - Adware removal
Anti-Hijacker
Anti-keylogger
Anti-Spy.Info adware remover
antispystorm"
AntiSpyware 2006 - Spyware Remover
Anti-Spyware Blocker
Anti-Spyware Bot%
Appin IT Security and Ethical Hacking
a-squared Anti-Malware"
Best Flobo Free Anti Spyware Clean
Best Flobo Free AntiSpyware
Cyber_Defender
CyberScrub AntiVirus
DiamondCS ProcessGuard
diocleaner
dpqaqlqx.bin
Dr.Web anti-virus for Windows
Easy Spyware Scanner
egmulhxk.dll
egmulhxk.dll
Emjysoft Anti-Spam
eScan Internet Security Suite
fkwggshm.exe
F-Secure Anti-Virus 2006
F-Secure Internet Security
GeSWall Freeware
Go SpyZooka
HijackRemote
InfoArmor Anti-Spyware
jpewocmz.ini
Keylogger Hunter
lpcywinp.exe
MacroVirus
Mailbox Guard
Malware Immunizer
Mastr Scan
Max Anti Spyware Pro(
Max Secure Spyware Detector - Enterprise
Max Spyware Detector
Micro Antivirus Deluxe
mkwucqxi.base
msbind32.exe
msscds32.dll
My Privacy Total!
NoAdware - Spyware Adware Remover
NOADWARE - Spyware Remover
Npust Anti-spyware
nusrmgr.exe
oembios32.dll
PAL Spyware Remover
PC Memory Shield
PC Protect Your PC
PC Security Suite
PC Security Test
PCImmunity
perfectcleaner
PestBlock
PestBlock Deutsch
Pop-Up Stopper Anti-Spyware
Principal AntiVirus
Privacy Defender - stop Spyware
PrivacyKeyboard
QMailFilter
RegFreeze
Returnil Virtual System
Safe n Sec
Safe n Sec Plus Anti-Spyware
Safe n Sec Plus Antivirus
Scan and Repair Utilities
SDProtector Pro
ShadowSurfer
ShadowUser
Spy Destroy Professional
Spy Destroy -Spyware Remover
Spy Emergency - Spyware Remover
Spy Eraser
Spy Ferret - Spyware Remover)
Spy Fighter Cleaner Pro - Spyware Remover
Spy Killer$
Spy On This - Spyware Adware Remover
Spy Stalker
Spy Sweeper
spyaway
SpyBlocs
spybot
SpyDestroy Pro
SpyFerret
SpyHeal
SpyOnThis
SpySites Plus
Spyware Annihilator Pro
Spyware Bot - Spyware Remover
Spyware Bot - Spyware Remover"
Spyware Bot Spyware Adware Remover
Spyware Defence and Removal
Spyware Defender
Spyware Detect and Remove
Spyware Firewall
Spyware Hospital
Spyware Hunter
Spyware IT
Spyware Killer
Spyware Nuker
Spyware Nuker
Spyware Nuker Pro Suite
Spyware Nuker XT
Spyware Protection Pro
Spyware Remover
Spyware Scanner
Spyware Scanner
Spyware Terminator
SpywareBot
SPYWAREfighter
SpywareKill
SpyZooka - Spyware Remover
StartGuard Free Edition
STOPzilla
Super System Helper
sysrlb32
systemstable&
The SHIELD Deluxe Anti-Virus, Anti-Spy
The Shield_Deluxe
The Shield_Pro
tmrsrv32.exe
Trend Micro OfficeScan
True Sword
TRVProtect
TZ Spyware-Adware Remover
Ultimate Defender
Venom Spyware Remover
VirusRescue
VMN Toolbar
vvgeowbv.exe
W8Soft Ad-Spy Remover
WinAntiSpyware
WinProxy Secure Suite
or where the result is directed to the following domains:
ntispysolutions.com
antispystorm.com
detect.htm
diocleaner.com
diocleanerpro.com
extraprivacy.com
google.com
liveupdatesnet.com
livewinupdates.com
msn.com
online-security-experts.com
pcsecuritylab.com
perfect-cleaner.com
perfectcleaner2007.com
secure.onemomentpay.com
spy-away.com
spyaway2007.com
system-stable.com
top-antispyware-reviews.com
vnmxjcx.com
winupdatesserv.com
yahoo.com
Downloads Arbitrary Files
This trojan may also download files and instructions from http://liveupdatesnet.com.
