Virus:TR/Buzus.517120
Date discovered:31/03/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:517.120 Bytes
MD5 checksum:6e8c4346ba425101a3e79448d1285faa
IVDF version:7.10.06.06 - Wednesday, March 31, 2010

 General Method of propagation:
   • Autorun feature
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Xirtem
   •  Panda: W32/P2PWorm.DP.worm
   •  Eset: Win32/Merond.AA
   •  Bitdefender: Win32.Generic.496749


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\jrshed.exe
   • %drive%\RECYCLER\%CLSID%\redmond.exe



The following files are created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

%drive%\RECYCLER\%CLSID%\Desktop.ini
%SYSDIR%\jvmi.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Buzus.cpav

%SYSDIR%\jhm.exe Further investigation pointed out that this file is malware, too. Detected as: TR/Buzus.cpbr




It tries to download some files:

– The location is the following:
   • http://76.73.35.106/files/test/**********


– The location is the following:
   • http://76.73.35.106/files/test/**********




It tries to executes the following files:

– Filename:
   • "%SYSDIR%\jvmi.exe"


– Filename:
   • "%SYSDIR%\jhm.exe"

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "SunJavaUpdateSched12"="%SYSDIR%\jrshed.exe"



The values of the following registry key are removed:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • APVXDWIN
   • AVG8_TRAY
   • AVP
   • BDAgent
   • CAVRID
   • DrWebScheduler
   • F-PROT Antivirus Tray application
   • ISTray
   • K7SystemTray
   • K7TSStart
   • McENUI
   • MskAgentexe
   • OfficeScanNT Monitor
   • RavTask
   • SBAMTray
   • SCANINICIO
   • SpIDerMail
   • Spam Blocker for Outlook Express
   • SpamBlocker
   • Windows Defender
   • avast!
   • cctray
   • egui
   • sbamui



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "%SYSDIR%\jrshed.exe"="%SYSDIR%\jrshed.exe:*:Enabled:Explorer"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
   New value:
   • "EnableLUA"=dword:0x00000000

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   New value:
   • "qele2"="04"
   • "qetr2"="21"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is one of the following:
   • e-cards@hallmark.com
   • invitations@hi5.com


To:
– Email addresses found in specific files on the system.


Subject:
One of the following:
   • Jessica would like to be your friend on hi5!
   • You have received A Hallmark E-Card!



Body:
– Contains HTML code.


Attachment:
The filename of the attachment is one of the following:
   • Invitation Card.zip
   • Postcard.zip

The attachment is an archive containing a copy of the malware itself.

 P2P    It searches for directories that contain the following substring:
   • emule\incoming

   If successful, the following files are created:
   • Adobe Acrobat Reader keygen.exe; PDF password remover (works with all
      acrobat reader).exe; VmWare keygen.exe; Sony Vegas Pro 8 0b Build
      219.exe; CheckPoint ZoneAlarm And AntiSpy.exe; Nero 9 9.2.6.0
      keygen.exe; Ad-aware 2009.exe; G-Force Platinum v3.7.5.exe; Ultimate
      ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin,
      Greensleves).exe; Motorola, nokia, ericsson mobil phone tools.exe;
      Download Accelerator Plus v8.7.5.exe; Divx Pro 6.8.0.19 +
      keymaker.exe; DVD Tools Nero 9 2 6 0.exe; Smart Draw 2008 keygen.exe;
      Sophos antivirus updater bypass.exe; LimeWire Pro v4.18.3.exe;
      Microsoft.Windows 7 Beta1 Build 7000 x86.exe; Grand Theft Auto IV
      (Offline Activation).exe; BitDefender AntiVirus 2009 Keygen.exe; Magic
      Video Converter 8 0 2 18.exe; Windows XP PRO Corp SP3 valid-key
      generator.exe; Avast 4.8 Professional.exe; Microsoft Visual Studio
      2008 KeyGen.exe; Power ISO v4.2 + keygen axxo.exe; Microsoft Office
      2007 Home and Student keygen.exe; K-Lite codec pack 3.10 full.exe;
      Opera 9.62 International.exe; Google Earth Pro 4.2. with Maps and
      crack.exe; Adobe Photoshop CS4 crack.exe; Norton Anti-Virus 2009
      Enterprise Crack.exe; AnyDVD HD v.6.3.1.8 Beta incl crack.exe; Total
      Commander7 license+keygen.exe;
      Winamp.Pro.v6.53.PowerPack.Portable+installer.exe; Daemon Tools Pro
      4.11.exe; Windows 2008 Enterprise Server VMWare Virtual Machine.exe;
      Alcohol 120 v1.9.7.exe; CleanMyPC Registry Cleaner v6.02.exe; WinRAR
      v3.x keygen RaZoR.exe; Download Boost 2.0.exe; Windows2008 keygen and
      activator.exe; AVS video converter6.exe; K-Lite codec pack 4.0
      gold.exe; Kaspersky Internet Security 2009 keygen.exe; Tuneup
      Ultilities 2008.exe; Perfect keylogger family edition with crack.exe;
      Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck
      My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly -
      The Worlds Greatest).exe; Absolute Video Converter 6.2.exe; Super
      Utilities Pro 2009 11.0.exe; Internet Download Manager V5.exe; Youtube
      Music Downloader 1.0.exe; Myspace theme collection.exe; Ultimate ring
      tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P,
      Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21
      Question).exe


 Backdoor The following port is opened:

– sonymusic.hom**********.org on TCP port 443

 Miscellaneous  Checks for an internet connection by contacting the following web site:
   • http://whatismyip.com/automation/n09230945.asp

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, April 16, 2010
Description updated by Petre Galan on Wednesday, April 21, 2010

Back . . . .