Symptoms
Multiple executable files with similar names and the same size (28672 bytes) on your disk and one or many processes running under the name “L_and_A”; All copies have the same icon ( one that looks like the Microsoft Paint icon ).
Removal instructions:
a) Please let BitDefender disinfect your files.
b) Stop the process “L_and_A” when the message box with one of the 4 possible messages appears (and then delete original file). This will work only if this is the first time you contact the virus.
Analyzed By
Dragos Gavrilut, virus researcher
Technical Description:
Trojan.VB.Ae was written in Visual Basic 6.0. The virus has a single window (witch it hides by moving it outside the screen coordinates).
Once executed, the virus will do the following:
- Will display a message box that looks like an error message from Windows. There are 4 possible error messages that the virus can show :
a) File not found
b) Windll.dll missing
c) Unknown format
d) Error opening file , Winpaint.dll missing
- The virus then waits until the user presses “Ok” button from the message box
- It start recursively , searching for files with following extension (*.exe , *.mp3 , *.avi , *.jpg) and does the following actions :
a) if the target file is an executable file (*.exe) , it copies itself to the same location as the target file , with a similar name ( with is created by adding a random letter in from of the target file name E.g. for file write.exe , possible names are Wwrite.exe , hwrite.exe , etc ).
b) if the target file is not an executable , it copies itself to the same location as the target file , with a similar name ( by adding extension “.exe” to the end of the file E.g. for mypicture.jpg , the virus will create a copy of itself with the name mypicture.jpg.exe )
- After this action , the remains inactive in memory ( it appears in Task Manager both in “Processes list” and “Application list”
The virus identifies itself after the size and it never overwrite itself.
SHARE
THIS ON