My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.VB.AE

HIGH
VERY LOW
28672

Symptoms

Multiple executable files with similar names and the same size (28672 bytes) on your disk and one or many processes running under the name “L_and_A”; All copies have the same icon ( one that looks like the Microsoft Paint icon ).

Removal instructions:

a) Please let BitDefender disinfect your files.
b) Stop the process “L_and_A” when the message box with one of the 4 possible messages appears (and then delete original file). This will work only if this is the first time you contact the virus.

Analyzed By

Dragos Gavrilut, virus researcher

Technical Description:

 

Trojan.VB.Ae was written in Visual Basic 6.0. The virus has a single window (witch it hides by moving it outside the screen coordinates).

Once executed, the virus will do the following:

  1. Will display a message box that looks like an error message from Windows. There are 4 possible error messages that the virus can show :

a)      File not found

b)      Windll.dll missing

c)      Unknown format

d)      Error opening file , Winpaint.dll missing

 

  1. The virus then waits until the user presses “Ok” button from the message box

 

  1. It start recursively , searching for files with following extension (*.exe , *.mp3 , *.avi , *.jpg) and does the following actions :

a)      if the target file is an executable file (*.exe) , it copies itself  to the same location as the target file , with a similar name ( with is created by adding a random letter in from of the target file name  E.g. for file write.exe , possible names are Wwrite.exe , hwrite.exe , etc ).

b)      if the target file is not an executable , it copies itself to the same location as the target file , with a similar name ( by adding extension “.exe” to the end of the file E.g. for mypicture.jpg , the virus will create a copy of itself with the name mypicture.jpg.exe )

  1. After this action , the remains inactive in memory ( it appears in Task Manager both in “Processes list” and “Application list”

The virus identifies itself after the size and it never overwrite itself.