Upon execution, this memory resident malware drops a copy of itself on the %System% folder using a random file name. It uses a file name of a legitimate application, such as:
- logon.exe
- lsass.exe
- iexplore.exe
- winamp.exe
- csrs.exe
It creates the following registry entry for its automatic execution at start up:
KEY: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
VALUE:
TYPE: REG_SZ
DATA: %System%\.exe
The on the VALUE line depends on the filename used by the malware. It can be any of the following:
- Windows Logon Application
- Local Security Authority Service
- Microsoft Internet Explorer
- Winamp Agent
- Client Server Runtime Process
It compromises the system by scanning for open ports and connecting to an unspecified IRC server. There, it listens to the following commands from a remote user:
- Download and upload files
- Sniff network packets
- Gather login information, cached passwords
- Gather the following network information: hostname, type, latency, firewall, speed
- Gather the following system information: CPU speed, free disk space, free memory, computer name, user
It can also propagate through shared network drives with weak passwords and by exploiting known Windows vulnerabilities.
Disinfect:
- Scan your system with Virusbuster. Terminate and delete all files detected as Backdoor.VanBot.FQ.
- Open REGEDIT.EXE and restore registry entries.
- Apply latest Microsoft patches from Windows Update.
| 
