sueviva - Sharing Is Caring

File Behavior 

VSBNTLO.EXE has been seen to perform the following behavior:

• Executes a Process
• Injects code into other processes
• This Process Deletes Other Processes From Disk
• Creates new folders on the system
• Copies files
• This process creates other processes on disk
• Injects code into other processes
• Uses DNS to retrieve the IP address for web sites
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Writes to another Process's Virtual Memory (Process Hijacking)
• Can communicate with other computer systems using HTTP protocols
• Executes Processes stored in Temporary Folders
• Hooks the WININET.DLL function allowing it to read or copy Http and Https web page content and session information
• Registers a Dynamic Link Library File
• Downloads program file(s) and other content from the web
• Performs DNS look ups to resolve URL IP addresses
• Found on infected systems and resists interrogation by security products
• Creates new folders in the file system
• Uses low level functions to hide itself from the user and from system/security processes

• Added as a Registry auto start to load Program on Boot up
• Executed as a Process
• Created as a process on disk
• Deleted as a process from disk
• Copied to multiple locations on the system
• Has code inserted into its Virtual Memory space by other programs
• Terminated as a Process
• Created by processes which appear to be checking for interception by security products
• Downloaded from covert web sites without the user knowing
• Registered as a Dynamic Link Library File
• Executed from Temporary Folders