Trojan:Win32/VB.IQ is a trojan downloader dropped by another malware detected as Trojan:Win32/VB.IQ.dr. It connects to certain web servers to download other malware.
Trojan:Win32/VB.IQ is dropped in the system by Trojan:Win32/VB.IQ.dr. It also drops a copy of itself as %windir%\bravo.exe.
Trojan:Win32/VB.IQ may drop and execute the following file:
%windir%\ppsap.exe
- Upon execution, Trojan:Win32/VB.IQ.dr drops a copy of itself in the Windows folder as ppsap.exe. It then drops the file kimo.exe also in the Windows folder.
It then modifies the system registry so that kimo.exe and another file, bravo.exe, are automatically run when Windows starts:
Adds value: "civic"
With data: "%windir%\kimo.exe"
Adds value: "ppsap"
With data: "%windir%\bravo.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It then executes kimo.exe and bravo.exe, which are both detected as Trojan:Win32/VB.IQ.
Take note that Trojan:Win32/VB.IQ.dr does not drop bravo.exe but attempts to execute it, as it is assumed that bravo.exe is already in the system and possibly dropped by kimo.exe.
This ensures that Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ install each other.
No comments:
Post a Comment