Trojan-Downloader.Win32.VB.pqr

by alexander.adamov on May 7th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan-Downloader
Size: 40960 bytes
Language: Visual Basic
MD5: D71CE1F34931F75AC72B1C9916340C4F
SHA1: D2624E9410349646C04C5B9B6191EB2A555113DC

Summary

Trojan-Downloader.Win32.VB.pqr is a Trojan program which downloads other malicious programs from the Internet without the user's knowledge or consent and launches them for execution.

Technical Details

Payload

Once launched, the Trojan attempts to connect to the following URL:

http://updates01.wiggy.me:23345/a/

The URL did not respond when the description was created.

The Trojan receives a response that contains a list of files to download.

The Trojan saves the downloaded files under the following names:

%UserProfile%\start1.exe

%UserProfile%\<digits>sf.exe

The Trojan launches the downloaded files for execution.

To control its performance, the Trojan adds an entry to the system registry key:

[HKCU\Software\VB and VBA Program Settings\q\q]

"q"="DD.MM.YYYY"

The Trojan then removes its body.

Removal Recommendations

  1. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  2. Delete the registry keys (How to Work with System Registry):
  3. [HKCU\Software\VB and VBA Program Settings\q\q]

  4. Delete the following files:
  5. %UserProfile%\start1.exe

    %UserProfile%\<digits>sf.exe

  6. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).