Recently new trojan started its voyage through the web. It is not currently identified by antiviruses but after our analysis certain malicious activity was detected. First installation file for this threat was found on some weird Arabic upload service m5azen.net and had random name: m5azen77d4ea3b8f.exe. Learn how to remove Trojan.Vbcrypt and all signs of its infection.

File parameters

File MD5: 0x9D2F8D268D3B43672280BDF65B34D1B3
File SHA-1: 0xBA10F39EAF2AA9C3101C0E791E14FA6BF3790EA3
Filesize: 73,728 bytes

Download VBCrypt Removal Tool


System changes

Here is the list of changes made by this file:

 
----------------------------------
Keys added:1
----------------------------------
HKLM\SOFTWARE\Microsoft\DownloadManager
 
----------------------------------
Values added:33
----------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update System: "C:\Documents and Settings\Administrator\Application Data\hostsys.exe"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Update System: "C:\Documents and Settings\Administrator\Application Data\hostsys.exe"
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\Windows Update System: "C:\Documents and Settings\Administrator\Application Data\hostsys.exe"
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\z5nmra77q4rn3o8s.rkr: 01 00 00 00 06 00 00 00 C0 A7 18 D7 6C AE CC 01
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update System: "C:\Documents and Settings\Administrator\Application Data\hostsys.exe"
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Desktop\m5azen77d4ea3b8f.exe: "m5azen77d4ea3b8f"
 
----------------------------------
Values modified:7
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: F3 33 E0 98 2B 8B 79 F3 C7 8F 70 74 54 63 9D 7C 07 27 1C AC 87 F8 E7 C0 E3 6D 59 0B F4 7B 62 1C 5C 4E BB F2 E6 36 BF BD 08 02 B4 96 1E C6 DA FD B4 66 FA 7B F2 A7 B5 B4 27 8C 20 AA D5 6D C8 42 2C 86 14 DB 64 02 27 67 3E F3 44 27 02 84 7C 86
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 15 E8 6B 68 3C 72 E1 7E E5 43 CD 17 F5 31 9B 36 45 93 15 D0 B8 4B 75 D6 7C A6 35 BD 09 CA 69 ED 9B AA FC FA 28 B2 37 2C CD 72 EE 9D 3B 03 CA 0A 85 48 BF 45 50 DB 18 EA 97 E5 13 E9 17 0D B9 67 E7 53 C7 D6 27 D5 DE E5 CD FA 78 E0 5E 3E 1A 03
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000015
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Epoch\Epoch: 0x00000016
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000015
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\Epoch: 0x00000016
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 0A 00 00 00 E0 98 5B C4 6C AE CC 01
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 0B 00 00 00 C0 A7 18 D7 6C AE CC 01
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 07 00 00 00 40 F0 55 95 6C AE CC 01
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 08 00 00 00 B0 BF 52 D6 6C AE CC 01
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 A0 0A C0 E8 BB A9 CC 01 01 00 00 00 C0 A8 19 80 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1202660629-527237240-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 05 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 A0 0A C0 E8 BB A9 CC 01 01 00 00 00 C0 A8 19 80 00 00 00 00 00 00 00 00
HKU\S-1-5-21-1202660629-527237240-1417001333-500\SessionInformation\ProgramCount: 0x00000003
HKU\S-1-5-21-1202660629-527237240-1417001333-500\SessionInformation\ProgramCount: 0x00000002
 
----------------------------------
Files added:6
----------------------------------
C:\Documents and Settings\Administrator\Application Data\hostsys.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\flaF6K0362.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\S9AZSXQ3\m5azen55d8b230f0[1].exe
 
----------------------------------
Files [attributes?] modified:6
----------------------------------
C:\Documents and Settings\Administrator\Cookies\index.dat
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
 
----------------------------------
Total changes: 47
----------------------------------

Browser hijack

Also the default home page and search engine was hijacked and redirected to gux-search.com:

gux adware search

Drive-by Downloads

Downloads additional file: flaF6K0817.exe and put it in C:\Documents and Settings\Administrator\Local Settings\Temp\ folder

Removal

Download special removal tool that will find and disinfect all instances of Trojan.Vbcrypt on your PC. Works in semi-automatic mode and you will need to choose what files to remove from the list of detected items.

Download VBCrypt Removal Tool


Trojan can be removed using Malwarebytes Antimalware that detects it as a threat Trojan.VBCrypt

trojan vbcrypt