Home / malwarePDF  

Backdoor:Win32/VBbot.V


First posted on 18 January 2010.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:Win32/VBbot.V.

Explanation :

Backdoor:Win32/VBbot.V is a backdoor trojan that allows unauthorized access and control of an affected computer.
Top

Backdoor:Win32/VBbot.V is a backdoor trojan that allows unauthorized access and control of an affected computer. InstallationWhen executed, Backdoor:Win32/VBbot.V adds itself to the Windows firewall authorized applications list by setting the following registry entry: Sets value:"<malware file name>"With data: "<malware file name>:*:Enabled:Adobe Update Manager" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ListNote: <malware file name> is the malware's file name at the time of execution. Hence the file name is variable. The malware also sets the following registry entries to ensure that it executes as each Windows start:Adds value: "Adobe Update Manager"
With data: "<malware file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "Adobe Update Manager"
With data: "<malware file name>"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run The malware may also set the following registry entries: Sets value: "Userinit"
With data: "C:\WINDOWS\system32\userinit.exe,<malware file name>" To subkey: HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
Sets value: "Userinit"
With data: "C:\WINDOWS\system32\userinit.exe,<malware file name>"
To subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Payload Allows backdoor access and controlBackdoor:Win32/VBbot.V allows unauthorized access and control of the affected computer. The malware may connect to one of the following hosts on a specified port, contained in a list carried in its code: google.homeunix.com:80
tyuqwer.dyndns.org:80
ymail.ath.cx:8585
voanews.ath.cx:8585 Once connected the malware can then accept commands from a remote attacker to perform specific actions, including but not limited to the following:

  • Download files to the infected machine
  • Download and execute arbitrary files
  • Upload specific files from the infected machine


    • Analysis by Ray Roberts

    Last update 18 January 2010

     

    TOP

    Malware :

    Family: