VBS/Edibara-B is a Visual Basic script virus.
The virus drops the following files:
<System32>\TPS32E.dll
<System32>\TPS32V.dll
<System32>\Systemv.dll
<System32>\config\Netlogon.vbs
<System32>\dd.txt
<System32>\se3gl9km.bat
<System32>\NetLogon.exe
The NetLogon.vbs script attempts to modify htm, html and htt files on fixed and remote drives to include a segment of Visual Basic script which infects other systems which read the infected files.
The script creates the following registry entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
ComService
<pathname to NetLogon.vbs file>
The NetLogon.exe file is initially droped as <System32>\Demon and then copied to <System32>\NetLogon.exe.
The NetLogon.exe file includes functionality to download, install and run new software.
The following registry entries are created to run the NetLogon.exe file on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
(default)
<pathname of NetLogon.exe file>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
(default)
<pathname of NetLogon.exe file>
The NetLogon.exe file changes settings for Microsoft Internet Explorer by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
The NetLogon.exe file creates registry entries are set as follows:
HKCU\Software\Microsoft\Internet Explorer
Download Directory
<System>\drivers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
(default)
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0