Internet threat level: 1
Home→Descriptions→Trojan-Downloader.Win32.VB.be
Trojan-Downloader.Win32.VB.be
| Detected | Jan 26 2004 11:33 GMT |
| Released | Jan 26 2004 11:33 GMT |
| Published | Nov 08 2006 12:54 GMT |
Payload
Removal instructions
Technical Details
This Trojan will download other programs from the Internet and launch them on the victim machine without the user's knowledge or consent. It is a Windows PE EXE file. The file is 24 576 bytes in size. This Trojan is written in Visual Basic.Payload
The Trojan consists of two files. The first of these is a so-called executable file called stub.exe, which is 20 480 bytes in size. The second file is the constructor for the first file, and is 24 576 bytes in size. The constructor is used to assign parameters to the executable file, such as the path to the file to be downloaded from the Internet, and the name under which the downloaded file will be saved on the victim machine.
When launched, the Trojan displays the following window:
When the user clicks on "Create", the Trojan will copy stub.exe, which is located in the Trojan's working directory, under the name which has been entered in the "Downloader" field. The Trojan opens the copied file and writes data given in the data entry fields to the end of this file in the following format:
When the generated file is launched, it will search its body for a "CONFIG" string. The link from which a file is to be downloaded is located directly following this string. The Trojan will download a file from this link to the Windows system directory and save it under the name given after the "CONFIG" string and the link. It will then launch the downloaded file for execution.
If the user clicks on "Help" the Trojan displays the following message:
Removal instructions
If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Use Task Manager to terminate the Trojan process
- Delete the original Trojan files (the location will depend on how the program originally penetrated the victim machine).
- Delete the file downloaded by the Trojan:
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
Programs classified as Trojan-Downloader download and install new versions of malicious programs, including Trojans and AdWare, on victim computers. Once downloaded from the Internet, the programs are launched or included on a list of programs which will run automatically when the operating system boots up.
Information about the names and locations of the programs which are downloaded are in the Trojan code, or are downloaded by the Trojan from an Internet resource (usually a web page).
This type of malicious program is frequently used in the initial infection of visitors to websites which contain exploits.
Trojan-Downloader.
- TrojanDownloader.
Win32. VB. be (Kaspersky Lab) - Trojan:
Downloader-DV (McAfee) - Mal/VBDldr-B (Sophos)
- Trojan.
Downloader. Korn. 10 (ClamAV) - W32/Downloader.
PS (FPROT) - W32/Threat-HLLSNP-based!Maximus (FPROT)
- TrojanDownloader:
Win32/VB. K (MS(OneCare)) - Trojan.
Korn (DrWeb) - Win32/TrojanDownloader.
VB. K trojan (Nod32) - Trojan.
Downloader. VB. K (BitDef7) - Win32:
Trojan-gen {Other} (AVAST) - Trojan-Downloader.
Win32. VB. BE (Ikarus) - Downloader.
VB. K (AVG) - Downloader.
VB. J (AVG) - HEUR/Malware (AVIRA)
- Downloader (NAV)
- Trojan.
DL. Roach (Rising) - Possible_Zlob-13 (TrendMicro)
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.