Trojan.Win32.VB.aeke

Technical Details
Payload
Removal instructions

Technical Details

This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE EXE file). It is 352 256 bytes in size. It is written in Visual Basic.

Installation

When launching, the Trojan copies its executable file to the current user's temporary directory under the name:

%Temp%\geurge.exe

In order to ensure that the Trojan is launched automatically each time the system is rebooted, the Trojan adds a link to its copy to the system registry autorun key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ewrgetuj"="%Temp%\geurge.exe"

The Trojan then creates a batch file in the root directory of the "C:\" drive, launches this file, and ceases running. The batch file deletes both the original Trojan file and itself.

Payload

A copy of the Trojan is launched and checks for the presence of the following files and folders:

%AllUsersProfile%\Desktop\World of Warcraft.lnk
%AllUsersProfile%\Desktop\wow.lnk
%AllUsersProfile%\Application Data\Blizzard
%AllUsersProfile%\Start Menu\Programs\World of Warcraft
%ProgramFiles%\World of Warcraft
%ProgramFiles%\Common Files\Blizzard Entertainment
%ProgramFiles%\World of Warcraft Trial
%ProgramFiles%\World of Warcraft
%HomePath%\Desktop\World of Warcraft
%HomePath%\My Documents\World of Warcraft
%HomePath%\My Documents\wow
c:\World of Warcraft
c:\game\World of Warcraft
c:\games\World of Warcraft
c:\games\Wow
c:\game\Wow
c:\Wow
c:\World of Warcraft Trial
c:\game\World of Warcraft Trial
c:\games\World of Warcraft Trial
c:\WOW Atlantic
c:\games\WOW Atlantic
c:\game\WOW Atlantic

It obtains a list of all the user's shortcuts:

%AllUsersProfile%\Desktop\*.lnk
%HomePath%\Desktop\*.lnk

Then the Trojan gathers information from the files using the following masks:

%HomePath%\Cookies\*.txt
%AllU\sersProfile%\Application Data\Microsoft\Network\
Connections\Pbk\*.pbk
%System%\Ras\*.pbk
%AppData%\Microsoft\Network\Connections\Pbk\*.pbk

The Trojan establishes network communication with the following host, to which it sends the information it has gathered:

config.instal**orm.com

The Trojan may also download a file from this link:

http://122.224.*.48/g.txt?t=0.2316616

At the time of writing, this link was inactive.

Removal instructions

If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:

1. Use Task Manager to terminate the Trojan process.
2. Delete the following file:

   %Temp%\geurge.exe

3. Delete the following system registry key (What is a system registry and how do I use it?):

   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
   "ewrgetuj"="%Temp%\geurge.exe"
   

4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).