My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.VB.Chinky.U

MEDIUM
MEDIUM
~44KB
(Worm.Win32.VBNA.iby, Trojan.MulDrop.34673)

Symptoms

The presence of a hidden ".exe" file in "%Documents and settings%\%UserName%\". This file also appears as a running process in Task Manager's processes list, but this process cannot be terminated using TaskManager.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Calin Groza, virus researcher

Technical Description:

This malware is a downloader. It connects to the following site:

                              n**.thei********our.net

When executed this malware copies itself in "%Documents and settings%\%UserName%\" folder under
a random name (examples of names: kanef.exe, duedue.exe, cuecuf.exe, etc.).

To execute itself at every start-up it creates the following registry key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ %RandomName% <- %Documents and settings%\%UserName%\%RandomName%.exe

The malware also disables "Show hidden files" for Windows Explorer via Windows Registry:
        HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden <- 0x00000000



*Spreading via USB drives:

This trojan has also the ability to propagate itself via removable drives. When it detects an USB drive,it drops two copies of itself on that drive, one with ".exe" file extension and the other one with ".scr" file extension, both with the same random name previously generated.

It creates the "autorun.inf" file with the following content, to be able to execute automaticaly the dropped ".exe" on systems with AutoRun enabled :
        
                                      [auTOrUN]
                                      AcTIon=Open folder to view files
                                      SheLlEXECUtE=%RandomName%.EXE
                                      icon=%sySTEmrooT%\SysTem32\shElL32.dll,4
                                      usEAutOPLAy=1

This "autorun.inf" also defines the icon of the infected removable drive as the standard folder icon from Windows.

This malware also creates 6 shortcut files on the removable drive, all 6 shortcuts point to the dropped ".scr" file.
This shortcut files are trying to imitate folders, so they have common folder names(New Folder, Passwords, Documents, Pictures, Music, Video)
with their specific icons:




While the malware is running, the "autorun.inf" file is inaccessible.