Trojan-Downloader.Win32.VB

The Trojan ensures that hidden files cannot be shown by Explorer.exe by modifying the following system registry key parameters:

The Trojan also ensures that file extensions cannot be shown by Explorer.exe by setting the following system registry key parameters:

In order to prevent these parameters from being reverted, the Trojan disables “Folder Options” in Explorer.exe by setting the following system registry key parameter:

The Trojan then creates a hidden folder called “psador18.dll” in the Windows system directory:

The file contains the following email addresses:

The Trojan also extracts a rootkit called “psagor18.sys” from its body. This file will be placed in the Trojan’s working directory. This rootkit includes functions which will hide the presence of the “psador18.dll” and “AHTOMSYS19.exe” files. It also gives the Trojan the highest system privileges, making it impossible to delete the Trojan file or terminate Trojan processes.

When the system is shut down, this file will be deleted, but will be recreated when the system is rebooted.

The Trojan tracks the appearance of windows with the following titles:

If the Trojan detects such windows, they will be automatically closed.

The Trojan also looks for flash devices. If it detects any such devices, the Trojan will copy its body as “CDburn.exe”, and create a file called “autorun.inf” which contains a link to the Trojan’s body. This ensures that the Trojan file will be automatically launched each time the device is connected.

The Trojan also harvests email addresses from the victim machine and sends an email message to them. The email has an empty subject line, and the following contents: