What are the Symptoms of W32/Vulcanbot Infection?
It will modify Windows Registry and add the following entries:
- HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Userinit: “%SystemDirectory%\userinit.exe,[Path to executable]\[executable name].exe”
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\Current Version\Winlogon “Userinit”: “%SysDir%\userinit.exe, %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe”
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “Windows Update “C:\Program Files\Windows NT\Windows Update\wuauclt.exe”
The threat will drop the following malicious files:
- %UserDir%\Application Data\Java\jre6\bin\jucheck.exe
- %UserDir%\Application Data\Java\jre6\bin\zf32.dll
- %UserDir%\Application Data\Microsoft\Internet Explorer\Quick Launch\VPSKEYS 4.3.lnk
- %RootDir%\Program Files\Adobe\AdobeUpdateManager.exe
- %RootDir%\Program Files\Java\jre6\bin\jucheck.exe
- %RootDir%\Program Files\Microsoft Office\Office11\OSA.exe
- %SysDir%\mscommon.inf
- %SysDir%\msconfig32.sys
- %SysDir%\zf32.dll
- %SysDir%\Setup\AdobeUpdateManager.exe
- %SysDir%\Setup\jucheck.exe
- %SysDir%\Setup\MPClient.exe
- %SysDir%\Setup\MPSvc.exe
- %SysDir%\Setup\OSA.exe
- %SysDir%\Setup\wuauclt.exe
- %SysDir%\Setup\zf32.dll
remote host created by the attacker << Great Detected By McAfee.