| Type of infiltration: | Trojan |
| Size: | 28000001 B |
| Affected platforms: | Microsoft Windows |
| Signature database version: | 4552 (20091028) |
|
Short description
Win32/VB.OOB is a trojan that deletes files in specific folders.
Installation
When executed, the trojan creates the following folders:
- %windir%\system32w
- %windir%\system32e
- %windir%\TR1
The following files are dropped :
- %windir%\system32w\IOASAL.DLL
- %windir%\system32w\smss.GELGG
- %windir%\system32w\services.GELGG
- %windir%\system32w\winlogon.GELGG
- %windir%\system32e\services.exe
- %windir%\system32e\TR07C.DLL
The trojan creates and runs a new thread with its own program code within the following processes:
Payload information
Win32/VB.OOB is a trojan that deletes files in specific folders. The trojan searches local drives for files with the following file extensions:
It avoids files which contain any of the following strings in their path:
- %windir%
- Local Setting
- Application Data
- Temp
- RECYCLE
- %windir%
- Local Setting
- Application Data
- Temp
- RECYCLE
- WINDOWS
- Cookies
- ntldr
- NTLDR
- .SYS
- .sys
- .BIN
- .bin
- .COM
- .com
- .BAT
- .bat
- .BAK
- .bak
- .db
- .ini
- .lnk
- 0000
- 0001
- 0002
- 0003
- 0004
- 0005
- 0006
- 0007
- 0008
- 0009
- 000A
- 000B
- PJMA
- PJMA_SD
- .T-652D.PNG
- .sts
When the trojan finds a file matching the search criteria, it creates a new file.
The file name and extension of the newly created file is derived from the original one.
An additional ".T-652D.PNG" extension is appended. The file is JPEG image.
Some examples follow.
(1.)
(2.)
(3.)
(4.)
Size of the file is 21901 B, 305801 B .
The trojan then deletes the original files.
Other information
The trojan may execute the following commands:
- command.com /c ipconfig /all
- command.com /c tracert www.google.co.jp
- command.com /c tracert www.yahoo.co.jp
- command.com /c tracert www.goo.ne.jp
