Short description
Win32/TrojanDropper.VB.NPT is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX.
Installation
When executed, the trojan copies itself into the following location:
- C:\WINDOWS\system32\%filename%.exe
A string with variable content is used instead of %filename%.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run]
"RunmeAtStartup" = "C:\WINDOWS\system32\%filename%.exe"
The trojan creates the following files:
- %temp%\svchost.exe (55577 B, Win32/AntiAV.NGX)
- C:\rec.bat
The files are then executed.
Other information
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- editor
- ethereal
- c32asm
- hex
- hiew
- ollyice
- editor
- ethereal
- c32asm
- hex
- hiew
- ollyice
- peid
- sniff
- ultraEdit
- vmusrvc
- vmware
- VMwareTray.exe
- w32dasm
The trojan contains a list of (6) URLs.
It tries to download several files from the addresses.
These are stored in the following locations:
- C:\WINDOWS\system32\%variable%.exe
- C:\WINDOWS\system32\%variable%.dll
A string with variable content is used instead of %variable%.
The HTTP protocol is used. The files are then executed.
The trojan may create the following files:
- C:\WINDOWS\system32\xvhost.sb
