Home / malware Trojan.VB.Chinky.U
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.VB.Chinky.U is also known as Worm.Win32.VBNA.iby, Trojan.MulDrop.34673.
Explanation :
This malware is a downloader. It connects to the following site:
n**.thei********our.net
When executed this malware copies itself in "%Documents and settings%\%UserName%" folder under
a random name (examples of names: kanef.exe, duedue.exe, cuecuf.exe, etc.).
To execute itself at every start-up it creates the following registry key:
HKCUSoftwareMicrosoftWindowsCurrentVersionRun %RandomName% <- %Documents and settings%\%UserName%\%RandomName%.exe
The malware also disables "Show hidden files" for Windows Explorer via Windows Registry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvancedShowSuperHidden <- 0x00000000
*Spreading via USB drives:
This trojan has also the ability to propagate itself via removable drives. When it detects an USB drive,it drops two copies of itself on that drive, one with ".exe" file extension and the other one with ".scr" file extension, both with the same random name previously generated.
It creates the "autorun.inf" file with the following content, to be able to execute automaticaly the dropped ".exe" on systems with AutoRun enabled :
[auTOrUN]
AcTIon=Open folder to view files
SheLlEXECUtE=%RandomName%.EXE
icon=%sySTEmrooT%SysTem32shElL32.dll,4
usEAutOPLAy=1
This "autorun.inf" also defines the icon of the infected removable drive as the standard folder icon from Windows.
This malware also creates 6 shortcut files on the removable drive, all 6 shortcuts point to the dropped ".scr" file.
This shortcut files are trying to imitate folders, so they have common folder names(New Folder, Passwords, Documents, Pictures, Music, Video)
with their specific icons:
While the malware is running, the "autorun.inf" file is inaccessible.Last update 21 November 2011
