Win32/VB.NIY

Aliases:	Trojan.Win32.VB.ahqj (Kaspersky), TrojanDownloader:Win32/VB.AAP (Microsoft), Trojan.DownLoad1.50077 (Dr. Web)
Type of infiltration:	Trojan
Size:	73728 B
Affected platforms:	Microsoft Windows
Signature database version:	1972 (20070111)

Short description

Win32/VB.NIY is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX.

Installation

When executed, the trojan copies itself into the following location:

%temp%\geurge.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run]
"ewrgetuj" = "%temp%\geurge.exe"

The following file is dropped:

C:\tujserrew.bat

The file is then executed.

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan executes the following commands:

net.exe stop "Security Center"
sc config wscsvc start=DISABLED
net.exe stop "Windows Firewall/Internet Connection Sharing
(ICS)"
sc config SharedAccess start=DISABLED

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (3) URLs. The HTTP protocol is used.

The trojan can download and execute a file from the Internet.

The trojan may create the following files:

%temp%\G_%variable%.ini
%temp%\segh3h43.tmp
%temp%\eh3wu4h3hw.ini
%variable%.exe

A string with variable content is used instead of %variable%.

The trojan collects the following information:

network adapter information
volume serial number

The trojan can send the information to a remote machine.