|Detected||Feb 17 2010 02:11 GMT|
|Released||Feb 17 2010 06:16 GMT|
|Published||Mar 22 2011 10:02 GMT|
This Trojan delivers a malicious payload to the user's computer. It is a Windows application (PE DLL file). It is 19 968 bytes in size. It is written in C++.
The Trojan copies its body to the Windows system directory as "hipo.neo":
%System%\hipo.neoIn order to ensure that it is launched automatically when the system is rebooted, the Trojan adds an entry to the system registry autorun key:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe rundll32.exe hipo.neo anvbdps"
If Microsoft Office is installed on the user's computer, the Trojan sets the security level to low by registering the following values in the system registry key:
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" = "1" "AccessVBOM" = "1"It also executes a macro, through which the original body of the Trojan is launched for execution.
To ensure that its process is unique within the system, the Trojan creates a unique identifier:
2543661751979d32b7Then, the Trojan creates a process named "svchost.exe" and injects its malicious code into the process's address space:
svchost.exeThe Trojan sends a request to the following address:
http://um***z.ua/banner/bb.phpAt the time of writing, this link was inactive.
In response, it receives a configuration file for its subsequent functionality. Links received from the configuration file for downloading other malicious files are saved by the Trojan in the following registry key:
If your computer does not have an antivirus, and is infected by this malicious program, follow the instructions below to delete it:
%Temporary Internet Files%
[HKCU\Software\Microsoft\Office\11.0\Word\Security] "Level" "AccessVBOM"
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe"
This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.
This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.