Threat Encyclopedia

VBS/Teb.fam

Analysis

  • Virus is VBScript with a file size of 2,615 bytes
  • If Trojan VBScript is run, it may display a dialogue box with the text

    "Kaspersky Anti-Virus 5.0 BETA Setup is initializing, please wait..."

  • This Trojan contains an error in the script which prevents the rest of its code from executing, however the following observations were made when reviewing the code:
    - The Trojan may attempt to delete the file "c:\Windows\System\Wsock32.dll"
    - The Trojan may attempt to write a new file as "c:\hyberfil.sys" and insert this text into it -

    "Archivo eliminado por ser parte de Norton AV, Kaspersky Anti-Virus. "
    - The Trojan may write a new startup file "c:\configs.sys" and insert this text into it:

    "Arhivo eliminado por ser parte de NOD32, Kaspersky Anti-Virus. "
    - The Trojan may attempt to copy itself as the following file names -

    C:\My Shared Folder\KAV5.0_BETA.exe.vbs
    C:\asd.exe
    C:\explorer.exe
    - The Trojan may then display several message boxes with suggestions that Kaspersky Antivirus has detected a virus -

    "Kaspersky Anti-Virus 5.0 BETA está instalado, por favor reporte cualquier BUG que encuentre a suggestions@kaspersky.com"

    "Kaspersky Anti-Virus 5.0 BET is installed, please report any BUG found in it product"

    "Instalación finalizada con éxito, por favor reinicie la compitadora"

    "Please restart your computer"

    "Kaspersky Anti-Virus 5.0 BETA build 4"
    - The Trojan may then write a text file named "c:\Windows\AvpM.exe.vbs" and insert this text into it -

    "Eugene Kaspersky is the best!!!!"