VBS/Teb.fam
Analysis
- Virus is VBScript with a file size of 2,615 bytes
- If Trojan VBScript is run, it may display a dialogue
box with the text
"Kaspersky Anti-Virus 5.0 BETA Setup is initializing, please wait..."
-
This Trojan contains an error in the script which prevents the rest of its code from executing, however the following observations were made when reviewing the code:
- The Trojan may attempt to delete the file "c:\Windows\System\Wsock32.dll"
- The Trojan may attempt to write a new file as "c:\hyberfil.sys" and insert this text into it -"Archivo eliminado por ser parte de Norton AV, Kaspersky Anti-Virus. "
- The Trojan may write a new startup file "c:\configs.sys" and insert this text into it:"Arhivo eliminado por ser parte de NOD32, Kaspersky Anti-Virus. "
- The Trojan may attempt to copy itself as the following file names -C:\My Shared Folder\KAV5.0_BETA.exe.vbs
C:\asd.exe
C:\explorer.exe
- The Trojan may then display several message boxes with suggestions that Kaspersky Antivirus has detected a virus -"Kaspersky Anti-Virus 5.0 BETA está instalado, por favor reporte cualquier BUG que encuentre a suggestions@kaspersky.com"
"Kaspersky Anti-Virus 5.0 BET is installed, please report any BUG found in it product"
"Instalación finalizada con éxito, por favor reinicie la compitadora"
"Please restart your computer"
"Kaspersky Anti-Virus 5.0 BETA build 4"
- The Trojan may then write a text file named "c:\Windows\AvpM.exe.vbs" and insert this text into it -"Eugene Kaspersky is the best!!!!"