TROJ_VB.FPW

Malware type: Trojan

Aliases: Trojan-Spy.Win32.VB.lh (Kaspersky), TrojanDropper:Win32/VB (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Medium

Distribution potential:

Low

Description: 

A Trojan horse program is a malware that is not capable of automatically spreading to other systems. Trojans are usually downloaded from the Internet and installed by unsuspecting users.

Trojans typically carry payloads or other malicious actions that can range from the mildly annoying to the irreparably destructive. They may also modify system settings to automatically start. Restoring affected systems may require procedures other than scanning with an antivirus program.

For additional information about this threat, see:

Description created: Oct. 27, 2008 11:10:44 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  No

Size of malware: 57,344 Bytes

Initial samples received on: Oct 19, 2008

Payload 1: Drops files

Payload 2: Downloads files

Details:

Installation

This Trojan drops the following file(s):

  • %Desktop%\INTERNET EXPLORER.LNK - opens the Web site http://www.{BLOCKED}m.com/?{random characters}_{current date when executed
  • C:\comine.exe or MyIE.exe or SCVSHTO.exe or KMPlayir.exe - also detected as TROJ_VB.FPW
  • C:\text.txt - non-malicious
  • C:\toskngr.exe or notepod.exe or notoped.exe or Kuwoi.exe - TROJ_STARTPA.SQ

(Note: %Desktop% is the current user's desktop, which is usually C:\Windows\Profiles\{user name}\Desktop on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Desktop on Windows NT, and C:\Documents and Settings\{User Name}\Desktop on Windows 2000, XP, and Server 2003. )

Autostart Techniques

This Trojan creates the following registry entry(ies) to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
Bitocmet = "C:\KMPlayir.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
cimone = "C:\comine.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
gmail = "c:\toskngr.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
msdtcc = "C:\notepod.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
MyIE = "C:\MyIE.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
pagofile = "c:\notoped.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
SCVSHTO = "C:\SCVSHTO.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run
UUSeei = "c:\Kuwoi.exe"

Other System Modifications

This Trojan creates the following registry entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\
Explorer\HideDesktopIcons\ClassicStartMenu
{871C5380-42A0-1069-A2EA-08002B30309D} = "1"

Internet Explorer Home Page and Search Page Modification

This Trojan modifies the Internet Explorer search page to point to the following Web site:

  • http://www.{BLOCKED}com/?29_20081006

Other Details

This Trojan creates the following mutex(es) to ensure that only one instance of itself is running in memory:

  • dsl_rundll_mutex

It connects to the following possibly malicious URL:

  • http://gp.{BLOCKED}m.com/ete.htm
  • http://www.{BLOCKED}m.com
  • http://www.{BLOCKED}.m.com/sogou.htm
  • http://www.{BLOCKED}0..com/

Analysis By: Karl Dominguez

Revision History:

First pattern file version: 5.634.14
First pattern file release date: Nov 03, 2008

SOLUTION


Minimum scan engine version needed: 8.500

Pattern file needed: 5.945.00

Pattern release date: Apr 5, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Restarting in Safe Mode

This malware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Removing Autostart Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>
    Run
  3. In the right panel, locate and delete the entry:
    • Bitocmet = "C:\KMPlayir.exe"
    • cimone = "C:\comine.exe"
    • gmail = "c:\toskngr.exe"
    • msdtcc = "C:\notepod.exe"
    • MyIE = "C:\MyIE.exe"
    • pagofile = "c:\notoped.exe"
    • SCVSHTO = "C:\SCVSHTO.exe"
    • UUSeei = "c:\Kuwoi.exe"
  4. Close Registry Editor.

Removing Other Malware Entries from the Registry

This solution deletes/modifies registry keys/entries added/modified by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_CURRENT_USER>SOFTWARE>MICROSOFT>Windows>CURRENTVERSION>
    Explorer>HideDesktopIcons>ClassicStartMenu
  3. In the right panel, locate and delete the entry:
    • {871C5380-42A0-1069-A2EA-08002B30309D} = "1"
  4. Close Registry Editor.

Resetting Internet Explorer Home Page and Search Page

This procedure restores the Internet Explorer home page and search page to the default settings.

  1. Close all Internet Explorer windows.
  2. Open Control Panel. Click Start>Settings>Control Panel.
  3. Double-click the Internet Options icon.
  4. In the Internet Properties window, click the Programs tab.
    (Note: If you are running Internet Explorer 7 (IE7), click the Advanced tab.)
  5. Click the Reset Web Settings... button.
    (Note: On IE7, click the Reset� button. Note that by doing this, you are resetting IE back to its default settings.)
  6. Select Also reset my home page. Click Yes.
  7. Click OK.

Deleting the Malware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type:
    • %Desktop%\INTERNET EXPLORER.LNK
  3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
  4. Once located, select the file then press SHIFT%20DELETE.
  5. Repeat steps 2-4 for the following file(s):
    • C:\text.txt

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as TROJ_VB.FPW and TROJ_STARTPA.SQ . To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.