Home / malware Trojan.VB.DJ
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.VB.DJ is also known as Virus.Win32.VB.al, TR/VB.DJ, W32/BRONTOK.BN!worm.
Explanation :
When run, the virus create a copy of itself and places it into many places, like:
%WINDIR%system32ISASS.exe (for ex. C:WINNTsystem32ISASS.exe) %SYSTEMDRIVE%WINDOWSexplosex.exe (for ex. C:WINDOWSexplosex.exe) %SYSTEMDRIVE%WINDOWSPCHEALTHHELPCTRhkcmd.bat %SYSTEMDRIVE%WINDOWSsecuritykernel32.bat %SYSTEMDRIVE%WINDOWSsystem32.exe %ALLUSERSPROFILE%Start MenuProgramsStartupTemp.pif (for ex. C:Documents and SettingsAll UsersStart MenuProgramsStartupTemp.pif) %WINDIR%system32LNETINFO.exe %HOMEDRIVE%%HOMEPATH%My DocumentsMy PicturesMy Pictures.exe (for ex. C:Documents and SettingssoftwinMy DocumentsMy PicturesMy Pictures.exe) %HOMEDRIVE%%HOMEPATH%My DocumentsData VIRTUAL2000.exeThe virus modifies a set of system registry keys to restrict the posibilities of the user to detect its presence. The virus usually does the following steps:
removes the Run and Search options from the Start menu denies the use of the command shell (CMD.EXE) denies the use of Task Manager denies the use of the default registry editor (REGEDIT) disables the Folder Options under the Explorer | Tools menu setup several registry keys to enable automatic execution of the virus on system startupThe virus also displays from time-to-time a window with the following message:
"--Hentikan kebobrokan di negeri ini--
1.Penjarakan Koruptor,Penyelundup, Tukang Suap, & Bandar NARKOBA
(Send to: NUSAKAMBANGAN)
... [removed] ...
Babat.A
Terinspirasi oleh:
KIAMAT YANG SUDAH DEKAT
Fatek Unsrat, April'06
By_mr.4'5
ANDA SETUJU?"
If the user responds with YES, the message window closes. If the user answers with NO, then the system is restarted.
The virus will copy itself under many directories under the local drives, using different names. Also, when USB disks are plugged in, the virus quickly copies itself, usually under several names onto the disk.Last update 21 November 2011