Home / malwarePDF  

Trojan.VBS.TPT


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.VBS.TPT is also known as Worm.VBS.

Explanation :

LI.xpanti { PADDING-LEFT: 10px; MARGIN: 0px; LIST-STYLE-TYPE: disc; TEXT-ALIGN: left } This is a script written in Visual Basic Script ( VBS ) which is ran with "wscript.exe" that comes with the OS. The virus acts like a worm.

At first it deletes any files or folders that might have the same path with the future worm files (detailed later on).It has a function that hides (sets the attributes for the file "hidden" ) the files from user view. It does this with the original file that the user executes.

After it copies itself in a path of the operating system ( "Windowssystem32" ) with the name ".vbs" . After that it creates these files :

"%System32%.reg" with contents described below that then adds to the registry using regedit.exe.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced]
"ShowSuperHidden"=dword:00000000 This will hide the system files from the user while he explores the content of the hard-disk.

"%System32%.uce" that looks like an usual "autorun.inf" which you will find in the root of the removable storage device that the worm uses to execute himself and spread the infection on to other computers.

"forgiveme
[autorun]
open=wscript.exe information.vbs
shellopenCommand=wscript.exe information.vbs
shellfindCommand=wscript.exe information.vbs
shellopendefault=1"
"%System32%.pif" that stores the date in the infection occured.
"%System32%.vbs" which is a copy of the malware hidden from user.
It infects removable devices copying the file "%System32%.uce" on the root of it with the name of "autorun.inf" and the original script with the name "information.vbs". Afterwards it checks that the current autorun.inf starts with the text "forgiveme" as it checks for the integrity of the script : on the first line it must have the text "'xiao1"

It downloads files from the folowing site : http://?xx3.cn/ and saves them in to the temp folder with the name ".pif" and execute as ".pif.exe".

It sets itself and the downloaded files in the windows tasks so it runs at a specific time that is relevant to the time of infection.

It sets this registry value : HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun with "Explorer", that runs the malware at startup.

Last update 21 November 2011

 

TOP