How to Prevent and Remove the VBInject.KR

How to Prevent and Remove the VBInject.KR

Bookmark and Share
1. What is the VBInject.KR

VirTool:Win32/VBInject.KR is a hazardous trojan program that can download and install additional nasty malware applications such as trojans, spyware, adware and viruses onto your infected system. VirTool:Win32/VBInject.KR is known to change processes and system files and block legitimate security utility from receiving updates. VirTool:Win32/VBInject.KR represents security risk for the compromised system and/or its network environment.
2.Technical Details:
a. The following files were created in the system:
No. Filename Size
1 %AppData%\C-76947-8457-2745\msnliveap.exe
%Temp%\8570.exe
[file and pathname of the sample #1] 4,512,256 bytes
2 %AppData%\msnl.exe
%Temp%\7158193.exe 470 bytes

* Notes:
o %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
o %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).

* The following directory was created:
o %AppData%\C-76947-8457-2745

b. Memory Modifications

* There were new memory pages created in the address space of the system process(es):

Process Name Process Filename Main Module Size
msnl.exe %AppData%\msnl.exe 65,536 bytes
c. Registry Modifications
# The newly created Registry Values are:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
o Windows System Guard = "%AppData%\msnl.exe"

so that msnl.exe runs every time Windows starts

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
o WindowsDriverControl = "%AppData%\C-76947-8457-2745\msnliveap.exe"

so that msnliveap.exe runs every time Windows starts

#
d. Other details

*

The following ports were open in the system:

Port Protocol Process
1059 TCP msnl.exe (%AppData%\msnl.exe)
1060 UDP msnl.exe (%AppData%\msnl.exe)

*

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host Port Number
109.123.108.61 81
98.158.190.129 81
81.173.18.21 80

*

The data identified by the following URLs was then requested from the remote web server:
o http://dickolsthoorn.nl/biz.exe
o http://dickolsthoorn.nl/newbin.exe
3. How-to's
a. How to prevent the VBInject.KR ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.
b. How to Remove the VBInject.KR Manually?

Step 1 : Use Windows Task Manager to Remove VBInject.KR Processes

%AppData%\msnl.exe

Step 2 : Use Registry Editor to Remove VBInject.KR Registry Values
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Windows System Guard = "%AppData%\msnl.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
WindowsDriverControl = "%AppData%\C-76947-8457-2745\msnliveap.exe"
Step3: Detect and Delete Other VBInject.KR Files

%AppData%\C-76947-8457-2745\msnliveap.exe
%Temp%\8570.exe
[file and pathname of the sample #1]
%AppData%\msnl.exe
%Temp%\7158193.exe
c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.
4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm