Virus:TR/Spy.Buzus.gyj
Date discovered:23/05/2008
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Medium
Static file:No
IVDF version:7.00.04.80 - Friday, May 23, 2008

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Spy-Agent.bw trojan
   •  Kaspersky: Trojan.Win32.Buzus.gyj
   •  F-Secure: Trojan.Win32.Buzus.gyj
   •  Eset: Win32/Wigon.BC trojan
   •  Bitdefender: Trojan.Spy.WSNPoem.CN

It was previously detected as:
   •  TR/Drop.Agent.70774


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Registry modification
   • Steals information
   • Third party control

 Files It copies itself to the following location:
   • %SYSDIR%\ntos.exe



The following files are created:

– Temporary files that might be deleted afterwards:
   • %SYSDIR%\wnspoem\audio.dll
   • %SYSDIR%\wnspoem\video.dll

 Registry The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Userinit"="c:\windows\\system32\\userinit.exe,"
   New value:
   • "Userinit"="c:\windows\\system32\\userinit.exe,%SYSDIR%\ntos.exe,"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network]
   New value:
   • "UID"="%computer name%_%hex values%"

 Email It doesn't have its own spreading routine but it was spammed out via email. The characteristics are described in the following:


From:
The sender address is spoofed.


Subject:
One of the following:
   • Mietvertrag
   • Abbuchungsvertrag
   • Konto eroeffnet
   • Der Vertrag



Body:
The body of the email is the following:
Sometimes it starts with one of the following:

   • Guten Tag!

   • Sehr geehrte Damen und Herren

   • Hallo


Continued by the following:

   • Wir haben den Vertrag vorbereitet und die Paragraphen hinzugefugt, die von Ihnen verlangt wurden.
     
     Unsere Juristen haben die letzte Seite verandert. Wenn es zu Ihrer Zufriedenheit ausfaellt, sind wir bereit am Freitag den ersten Warenposten zu bezahlen.
     
     Anbei finden Sie bitte die Datei mit dem angefertigten Vertrag.
     
     Wenn Sie brauchen, konnen wir Ihnen den Vertrag faxen.
     
     Wir warten auf Ihre Entscheidung.


Attachment:
The filename of the attachment is:
   • Vertrag.rar

The attachment is an archive containing a copy of the malware itself.

 Backdoor The following port is opened:

– svchost.exe on a random TCP port in order to provide backdoor capabilities.


Contact server:
The following:
   • valarsnetwor**********

As a result it may send information and remote control could be provided.

 Injection – It injects itself into a process.

    Process name:
   • winlogon.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Thomas Wegele on Friday, May 23, 2008
Description updated by Thomas Wegele on Friday, May 23, 2008

Back . . . .