Home / malwarePDF  

Trojan:Win32/Vbot.R


First posted on 31 January 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Vbot.R is also known as Trojan-Dropper.Win32.Injector (Ikarus), Trojan-Dropper.Win32.Injector.bsee (Kaspersky), Infostealer.Banprox (Symantec), W32/Injector.CKU (Norman), Trojan.DR.Injector!mnRYTvdLJkk (VirusBuster), Luhe.Fiha.A (AVG), Trojan.Proxy.Agent.BCK (BitDefender), Win32/ProxyChanger.J trojan (ESET).

Explanation :

Trojan:Win32/VBot.R is a trojan that changes the browser's settings to redirect traffic from certain Brazilian websites. It can also download other files to the affected computer.


Top

Trojan:Win32/VBot.R is a trojan that changes the browser's settings to redirect traffic from certain Brazilian websites. It can also download other files to the affected computer.



Installation

Trojan:Win32/VBot.R may arrive as an SCR file contained within a ZIP archive attached to spammed email messages. In the wild, it has been known to be contained within the following files:

  • Pai_flagra_filha.zip , containing Pai_flagra_filha.zip.scr
  • km_sutrinha_cearencinho.zip , containing km_sutrinha_cearencinho.zip.scr


When run, it drops the SCR file within the %AppData% folder, for example:

%AppData%\Pai_flagra_filha.zip.scr

It modifies the following registry entry to ensure that it executes at each Windows start:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "sbthost"
With data: "%AppData%\Pai_flagra_filha.zip.scr"



Payload

Downloads arbitrary files

In the wild, Trojan:Win32/VBot.R has been observed to connect to the following servers to download additional files:

  • 188.<removed>.60.12 via port 8083
  • <removed>carros.com.br


At the time of this writing, the files are unavailable.

Redirects Internet traffic

Trojan:Win32/VBot.R redirects the browser through 188.<removed>.60.12 if it attempts to access any of the following domains:

  • www.bancohsbc.com.br
  • www.bancoreal.com.br
  • www.bancosantander.com.br
  • www.banespa.com.br
  • www.bradesco.com.br
  • www.bradescoprime.com.br
  • www.bradescoprivate.com.br
  • www.bradescoprivatebank.com.br
  • www.hsbc.com.br
  • www.real.com.br
  • www.santander.com.br
  • www.santanderbanespa.com.br
  • www.santanderempresarial.com.br
Additional Information

Trojan:Win32/VBot.R connects to the server "<removed>carros.com.br" to report its installation in the affected computer.



Analysis by Mihai Calota

Last update 31 January 2012

 

TOP

Malware :

Family: