Troj/VB-ZD

Aliases	Backdoor.Win32.VB.zd SkServer BKDR_VB.ZD
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Drops more malware Installs itself in the registry
Protection available since	8 April 2005 13:01:47 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

Troj/VB-ZD is a Trojan dropper for windows based systems. The Trojan sets up a Trojan proxy on an infected computer.

Troj/VB-ZD creates a copy of itself named ipconfig.sys in the folder it was originally run from. The Trojan then drops four files - mswinsck.ocx and bsmtp.dll into the Windows system folder, and rundll32.exe and svchost.exe into the same folder that the Trojan was originally run from. Mswinsk.ocx is a clean Microsoft file, and bsmtp.dll is a clean file that provides an SMTP mail engine for other programs to use. Rundll32.exe is part of the Trojan, also detected as Troj/VB-ZD, and it is this component that drops and configures the file svchost.exe.

Svchost.exe is a Trojan proxy, and is detected as Troj/SkSocket-C. Once the proxy has been copied to the system folder, it is then configured, and an email notification sent to a specified address informing a remote intruder that the computer is infected, and which port it can be contacted on.

Troj/VB-ZD creates the following registry entries to ensure that it is started at system start up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Background Intelligent Transfer Service
<Path to Trojan>/rundll32.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Network Connections
<Path to Trojan>/internat.exe

This results in an email being sent to a remote intruder every time the system is started, informing the intruder that the infected computer is ready for use.

When Troj/VB-ZD is registered as a service it creates entries under the following registry entry, and has its startup type set to automatic so it is run whenever the system starts:

HKLM\SYSTEM\CurrentControlSet\Services\
SkServer

Troj/VB-ZD has a display name of "Snake SockProxy Service".

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/VB-ZD

Summary

Action

More Information