Threat Encyclopedia

W32/VBDoor!tr

Analysis

  • Trojan is 32bit with a compressed file size of 35,068 bytes
  • The Trojan was coded using Visual Basic 6
  • If the Trojan is run, a dialogue box may be displayed with the following content -

    CSFIX
    c:\winnt\system32\csfix.exe
    [OK]

  • The Trojan will copy itself to the undefinedWindowsundefined\System32 folder as "csfix.exe" and then modify the registry to load at next Windows startup as in this example -

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    microsoft = c:\WINNT\SYSTEM32\csfix.exe

  • The Trojan will attempt to communicate with a website and send a page notification message to an ICQ chat client ID as seen in the following example message -

    from=(username)&fromemail=moi@hotmail.com&subject=moi@hotmail.com&
    body=IP=192+169+0+128++PORT=2003++Password=mouton++
    Version+0+0&to=25705543&send="

  • The message above is posted using TCP port 80 to the web address 205.188.248.25 (clustera.icq.com) - a server hosted by Mirabilis which can be used to send ICQ page messages - the message serves as a notification that the affected IP is infected by the Trojan

  • The Trojan will open TCP port 2003 and await instructions from a hacker or group of hackers

  • The Trojan contains the string "BBSatanus" in its code

Recommended Action

  • Block internal to external traffic (INT -> EXT) with source TCP port 2003
  • Block external to internal traffic (EXT -> INT) with destination TCP port 2003