TROJ_VB.JOY
Windows 2000, XP, Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
However, due to errors in its code, it fails to perform its intended routine. However, due to errors in its code, it fails to perform its intended routine.
TECHNICAL DETAILS
49,152 bytes
PE
Yes
07 Aug 2010
Installation
This Trojan drops the following copies of itself into the affected system:
- {Drive}\Document and Settings\All Users\Application Data\autorun
- {Drive}\Document and Settings\All Users\Application Data\svchost
- {Drive}\Document and Settings\All Users\Application Data\explorer
- {Drive}\Documents and Settings\All Users\Application Data\explorer
- {Drive}\Documents and Settings\All Users\Application Data\svchost
- {Drive}\Documents and Settings\All Users\Application Data\autorun
It drops the following copies of itself into the affected system:
- {Drive}\Document and Settings\All Users\Application Data\autorun
- {Drive}\Document and Settings\All Users\Application Data\svchost
- {Drive}\Document and Settings\All Users\Application Data\explorer
- {Drive}\Documents and Settings\All Users\Application Data\explorer
- {Drive}\Documents and Settings\All Users\Application Data\svchost
- {Drive}\Documents and Settings\All Users\Application Data\autorun
Other Details
However, due to errors in its code, it fails to perform its intended routine.
However, due to errors in its code, it fails to perform its intended routine.
It does the following:
- It drops a copy of itself in the current directory. It then uses the names of the folders in the same directory as its file name. It changes the attributes of these folders to Hidden to trick the user into running the file.
- It drops a copy of itself in the current folder. These dropped copies uses the name of folders in the current drive for their file names. It then changes the attributes of the folder to Hidden. This tricks the user into opening the dropped copies of the file.
It does the following:
- It drops a copy of itself in the current directory. It then uses the names of the folders in the same directory as its file name. It changes the attributes of these folders to Hidden to trick the user into running the file.
- It drops a copy of itself in the current folder. These dropped copies uses the name of folders in the current drive for their file names. It then changes the attributes of the folder to Hidden. This tricks the user into opening the dropped copies of the file.
SOLUTION
8.900
7.493.00
07 Aug 2010
8/7/2010 12:00:00 AM
Step 1
Scan your computer with your Trend Micro product to delete files detected as TROJ_VB.JOY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 2
Scan your computer with your Trend Micro product to delete files detected as TROJ_VB.JOY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.