arrow_back
search
close

TROJ_VB.JOY

October 08, 2012
 Analysis by: Cris Nowell Pantanilla
 PLATFORM:

Windows 2000, XP, Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW


However, due to errors in its code, it fails to perform its intended routine. However, due to errors in its code, it fails to perform its intended routine.

  TECHNICAL DETAILS

File Size:

49,152 bytes

File Type:

PE

Memory Resident:

Yes

Initial Samples Received Date:

07 Aug 2010

Installation

This Trojan drops the following copies of itself into the affected system:

  • {Drive}\Document and Settings\All Users\Application Data\autorun
  • {Drive}\Document and Settings\All Users\Application Data\svchost
  • {Drive}\Document and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\svchost
  • {Drive}\Documents and Settings\All Users\Application Data\autorun

It drops the following copies of itself into the affected system:

  • {Drive}\Document and Settings\All Users\Application Data\autorun
  • {Drive}\Document and Settings\All Users\Application Data\svchost
  • {Drive}\Document and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\explorer
  • {Drive}\Documents and Settings\All Users\Application Data\svchost
  • {Drive}\Documents and Settings\All Users\Application Data\autorun

Other Details

However, due to errors in its code, it fails to perform its intended routine.

However, due to errors in its code, it fails to perform its intended routine.

It does the following:

  • It drops a copy of itself in the current directory. It then uses the names of the folders in the same directory as its file name. It changes the attributes of these folders to Hidden to trick the user into running the file.
  • It drops a copy of itself in the current folder. These dropped copies uses the name of folders in the current drive for their file names. It then changes the attributes of the folder to Hidden. This tricks the user into opening the dropped copies of the file.

It does the following:

  • It drops a copy of itself in the current directory. It then uses the names of the folders in the same directory as its file name. It changes the attributes of these folders to Hidden to trick the user into running the file.
  • It drops a copy of itself in the current folder. These dropped copies uses the name of folders in the current drive for their file names. It then changes the attributes of the folder to Hidden. This tricks the user into opening the dropped copies of the file.

  SOLUTION

Minimum Scan Engine:

8.900

VSAPI PATTERN File:

7.493.00

VSAPI PATTERN Date:

07 Aug 2010

VSAPI PATTERN Date:

8/7/2010 12:00:00 AM

Step 1

Scan your computer with your Trend Micro product to delete files detected as TROJ_VB.JOY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 2

Scan your computer with your Trend Micro product to delete files detected as TROJ_VB.JOY. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.