Home / malware

PDF

Trojan:Win32/VB.IP

First posted on 04 February 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/VB.IP.

Explanation :

Trojan:Win32/VB.IP is a trojan that may inject malicious code into a legitimate Windows process.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

The presence of the following file:
%user profile%winlogon.exe

The presence of the following registry modifications:
Added value: "Windows Logon Applicationedc"
With data: "%user profile%winlogon.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun

Trojan:Win32/VB.IP is a trojan that may inject malicious code into a legitimate Windows process.

Installation
Trojan:Win32/VB.IP drops a copy of itself as the file "%user profile%winlogon.exe". It also modifies the system registry so that its dropped copy runs every time Windows starts: Adds value: "Windows Logon Applicationedc"
With data: "%user profile%winlogon.exe"
To subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun It may also create the following registry entry: Adds value: "x"
With data: "x"
To subkey: HKCUSoftwareVB and VBA Program Settings mx

Payload
Injects Malicious CodeTrojan:Win32/VB.IP may inject malicious code into the "svchost.exe" process.

Analysis by Francis Allan Tan Seng

Last update 04 February 2009

 

TOP