Follow:

 

Trojan:Win32/VB.IQ


Trojan:Win32/VB.IQ is a trojan downloader dropped by another malware detected as Trojan:Win32/VB.IQ.dr. It connects to certain web servers to download other malware.
 
As of this writing, exploits for the Pointer Reference Memory Corruption Vulnerability in Internet Explorer are known to drop this trojan in vulnerable systems. Microsoft released Security Bulletin MS08-078 on December 17, 2008 that fixes this vulnerability. Microsoft recommends that users apply this update immediately. Users are advised to refer to Microsoft Security Bulletin MS08-078 for more information.


What to do now

Note:
This trojan may arrive in the system when you visit a website that contains code that exploits the Pointer Reference Memory Corruption Vulnerability in Internet Explorer discussed in Microsoft Security Bulletin MS08-078. Microsoft recommends that you apply the update immediately. Please refer to Microsoft Security Bulletin MS08-078 for more information.
 
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Trojan:Win32/VB.IQ is a trojan downloader dropped by another malware detected as Trojan:Win32/VB.IQ.dr.
Installation
Trojan:Win32/VB.IQ is dropped in the system by Trojan:Win32/VB.IQ.dr. It also drops a copy of itself as %windir%\bravo.exe.
 
As of this writing, exploits for the Pointer Reference Memory Corruption Vulnerability in Internet Explorer are known to drop this trojan in vulnerable systems. Microsoft released Security Bulletin MS08-078 on December 17, 2008 that fixes this vulnerability. Microsoft recommends that users apply this update immediately. Users are advised to refer to Microsoft Security Bulletin MS08-078 for more information.
Payload
Downloads Arbitrary Files
Trojan:Win32/VB.IQ may contact the following web servers to download additional malware components:
 
130183245.no-ip.info
130183245.buxhere.com
130183245.blogspot.com
128048024760.no-ip.info
128048024760.buxhere.com
128048024760.blogspot.com
128048024663.no-ip.info
128048024663.buxhere.com
128048024663.blogspot.com
128048024566.no-ip.info
128048024566.buxhere.com
128048024566.blogspot.com
128048024469.no-ip.info
128048024469.buxhere.com
128048024469.blogspot.com
128048024372.no-ip.info
128048024372.buxhere.com
128048024372.blogspot.com
128048024275.no-ip.info
128048024275.buxhere.com
128048024275.blogspot.com
128048024178.no-ip.info
128048024178.buxhere.com
128048024178.blogspot.com
128048024081.no-ip.info
128048024081.buxhere.com
128048024081.blogspot.com
128048024984.no-ip.info
128048024984.buxhere.com
128048024984.blogspot.com
 
Drops Other Malware
Trojan:Win32/VB.IQ may drop and execute the following file:
%windir%\ppsap.exe - detected as Trojan:Win32/VB.IQ.dr
 
This ensures that Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ install each other.
 
Analysis by Jireh Sanico

Symptoms

System Changes
The following system changes may indicate the presence of this malware:
  • The presence of the following registry modifications:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "civic" = "%windir%\kimo.exe"
    "ppsap" = "%windir%\bravo.exe"

Prevention


Alert level: Severe
First detected by definition: 1.49.477.0
Latest detected by definition: 1.49.477.0 and higher
First detected on: Dec 14, 2008
This entry was first published on: Dec 17, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
No known aliases