Analysis by: Cris Nowell Pantanilla
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

However, due to errors in its code, it fails to perform its intended routine. However, due to errors in its code, it fails to perform its intended routine.

  TECHNICAL DETAILS

Tamaño del archivo 49,152 bytes
Tipo de archivo PE
Residente en memoria Yes
Fecha de recepción de las muestras iniciales 07 Aug 2010

Installation

This Trojan drops the following copies of itself into the affected system:

  • {Drive}\Document and Settings\All Users\Application Data\autorun
  • {Drive}\Document and Settings\All Users\Application Data\svchost
  • {Drive}\Document and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\svchost
  • {Drive}\Documents and Settings\All Users\Application Data\autorun

It drops the following copies of itself into the affected system:

  • {Drive}\Document and Settings\All Users\Application Data\autorun
  • {Drive}\Document and Settings\All Users\Application Data\svchost
  • {Drive}\Document and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\svchost
  • {Drive}\Documents and Settings\All Users\Application Data\autorun

Other Details

However, due to errors in its code, it fails to perform its intended routine.

However, due to errors in its code, it fails to perform its intended routine.

It does the following:

  • It drops a copy of itself in the current directory. It then uses the names of the folders in the same directory as its file name. It changes the attributes of these folders to Hidden to trick the user into running the file.
  • It drops a copy of itself in the current folder. These dropped copies uses the name of folders in the current drive for their file names. It then changes the attributes of the folder to Hidden. This tricks the user into opening the dropped copies of the file.

It does the following:

  • It drops a copy of itself in the current directory. It then uses the names of the folders in the same directory as its file name. It changes the attributes of these folders to Hidden to trick the user into running the file.
  • It drops a copy of itself in the current folder. These dropped copies uses the name of folders in the current drive for their file names. It then changes the attributes of the folder to Hidden. This tricks the user into opening the dropped copies of the file.

  SOLUTION

Motor de exploración mínimo 8.900
Archivo de patrones de VSAPI 7.493.00
Fecha de publicación de patrones de VSAPI 07 Aug 2010
Fecha de publicación de patrones de VSAPI 8/7/2010 12:00:00 AM

Step 1

Scan your computer with your Trend Micro product to delete files detected as TROJ_VB.JOY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 2

Scan your computer with your Trend Micro product to delete files detected as TROJ_VB.JOY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.