Malware and threats description

VB.me

2013-02-24

Aliases: Trojan-Dropper.Win32.VB.me

Category: Malware

Parameters: Size: 233472; Platform: W32

Short description

Trojan-Dropper.Win32.VB.me drops different own copies in the donwload’s folders of Peer-to-Peer applications

Long description

The behavior of malware initially involves users of peer-to-peer (P2P) applications.

It checks for the presence of these P2P configuration files and configuration registry entries to find the name of the directory where the the downloaded files are stored:


              %appdata%\LimeWire\.limewire.props 

              %appdata%\morpheus\morphconfig.ini 

              %appdata%\morpheus ultra\morphconfig.ini 

              %programfiles%\BearShare\FreePeers.ini

After that it looks for executable files of P2P applications and starts them:


              %programfiles%\limewire\limewire.exe 

              %programfiles%\shareaza\shareaza.exe 

              %programfiles%\bearshare\bearshare.exe 

              %programfiles%\morpheus\morpheus.exe 

              %programfiles%\morpheus ultra\morpheus.exe

It checks the folder where LimeWire’s file are saved. The check of this directory for availability of BearShare, Morpheus, Morpheus Ultra and Shareaza applications is done after some of these executables files: bearshare.exe, morpheus.exe or shareaza.exe are started as a processes.

It creates hidden folder with the name "_" , where the folder for writing is placed by default.

To continue its activity, the dropper checks if %alluserstartup%\wmplayer.exe is started.

If NO it displays the following message and exits:


              "Windows Media Player" 

              "Media player cannot play file codec is missing"

If YESА, it checks for the presence of some of the following files in the system folder:


              winlog.exe 

              p2pnetworking.exe 

              scvhost.exe 

              winlogi.exe 

              p2pnetwork.exe 
              csrrs.exe

If these files are not found, it drops and starts the file %windows%\b.exe.

It locks the following system tools to prevent the easy removing of its payload program:


              %system%\cmd.exe 

              %system%\netstat.exe 

              %system%\tracert.exe 

              %system%\ping.exe 

              %system%\ipconfig.exe 

              %system%\taskkill.exe 

              %system%\regedt32.exe 

              %system%\taskmgr.exe 

              %windows%\regedit.exe

When the mentioned above applications are started, the following message is displayed:


              [application name] 

              "Another program is currently using this file"

СAfter that it drops won copy under name "yesyesyesyes.exe" in the new folder in already created folder "_".

It download the page:


              http://www.mp3000.net[removed]ads/page[random numbers]-mp3.php

It transfer the files to take the title of movies and music. After that it uses these name when creating own copy in the writing directory.

InfoLab

Computer threads and malicious software description

VB.me

2013-02-24

Short description

Long description