Trojan.VB.AP

SYMPTOMS:

TECHNICAL DESCRIPTION:

Trojan.VB.AP was written in Visual Basic 6.0. The virus has a single window (witch it hides by moving it outside the screen coordinates).

Once executed, the virus will do the following:

1. The virus creates a new directory (with the same name as it`s own). In this way , it looks like the user has opened a directory , when it actually runs the virus)
2. It tryes to create the following file : “C:\Program Files\Symantec\LiveUpdate\Luall.exe”
3. It start recursively , searching for files with following extension (*.exe , *.mp3 , *.avi , *.jpg) and does the following actions :

a)      if the target file is an executable file (*.exe) , it copies itself  to the same location as the target file , with a similar name ( with is created by adding a random letter in from of the target file name  E.g. for file write.exe , possible names are Wwrite.exe , hwrite.exe , etc ).

b)      if the target file is not an executable , it copies itself to the same location as the target file , with a similar name ( by adding extension “.exe” to the end of the file E.g. for mypicture.jpg , the virus will create a copy of itself with the name mypicture.jpg.exe )

4. After this action , the remains inactive in memory ( it appears in Task Manager both in “Processes list” and “Application list”

The virus identifies itself after the size and it never overwrite itself.

Removal instructions:

ANALYZED BY: