Backdoor:Win32/VB.CCO is a backdoor trojan that allows unauthorized access to an affected machine. This trojan could be instructed by a remote attacker to download and execute arbitrary files.
Installation
Backdoor:WIn32/VB.CCO may be installed or dropped by another trojan known as "Trojan:Win32/Womcodi.gen".
Win32/Womcodi.gen may have been distributed in a spam e-mail message as a .ZIP file attachment containing an executable. The trojan may use suggestive filenames of various games and utilities to entice users to open or execute the trojan, such as the following:
sandboxie 3.24.zip
Sansa Media Converter 1.3.zip
Santa's Favourite Screensaver for Windows.zip
Sarah Xtreme Pro.v4.0.4966.zip
SATELLITE TV for PC 2008 ELITE EDITION [Retail No Keygen Required].zip
For more information about Win32/Womcodi, please see the following:
When Backdoor: Win32/VB.CCO is run, it may drop a copy of itself as the following:
%UserProfile%\winlogon.exe
The trojan modifies the following registry data:
Modifies value: "ProxyBypass"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap
Modifies value: "IntranetName"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap
Modifies value: "UNCAsIntranet"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap
It then launches the dropped file “%UserProfile%\winlogon.exe” and as a result of executing the dropped trojan, the following registry value and data may be created:
Adds value: %UserProfile%\winlogon.exe
With data: "winlogon",
To subkey: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
The registry is modified to execute the dropped trojan copy at each Windows start.
Adds value: "Windows Logon Applicationedc"
With data: "%UserProfile%\winlogon.exe"
To subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
An additional registry value and data may be created.
Adds value: "x"
With data: "x"
To subkey: HKCU\Software\VB and VBA Program Settings\tm\x
Payload
Backdoor Functionality: Port 8000
This trojan attempts to establish a connection using TCP port 8000 with the remote host 'ns2.mysearchhere.net'. The open port could facilitate access to the affected machine by an attacker.
Analysis by Wei Li
