Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:TR/Buzus.czvp
Date discovered:27/01/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:201.728 Bytes
MD5 checksum:5b056eff9e08e6b3da45752edae22547
IVDF version:7.10.03.106 - Wednesday, January 27, 2010

 General    • Peer to Peer


Aliases:
   •  Mcafee: W32/Palack.worm
   •  Sophos: Mal/CryptBox-A
   •  Panda: Trj/Buzus.LF
   •  Eset: Win32/Dursg.A
   •  Bitdefender: Trojan.Buzus.GN


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %HOME%\Application Data\SystemProc\lsass.exe



It deletes the initially executed copy of itself.



The following files are created:

%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest
%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf
%PROGRAM FILES%\Mozilla Firefox\extensions\{8CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul



It tries to download some files:

The location is the following:
   • http://controllmx.com/**********?aid=blackout


The location is the following:
   • http://controllmx.com/**********?sd=%character string%&aid=blackout


The location is the following:
   • http://liodio.com/**********?pop=1&aid=%character string%&sid=%character string%&key=%character string%




It tries to executes the following file:

Filename:
   • "%home%\Application Data\SystemProc\lsass.exe"

 Registry The following registry key is added:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "RTHDBPL"="%HOME%\Application Data\SystemProc\lsass.exe"



The following registry key is changed:

[HKCU\Identities]
   New value:
   • "Curr version"="%character string%"
   • "Inst Date"="%character string%"
   • "Last Date"="%character string%"
   • "Popup count"="%character string%"
   • "Popup date"="%character string%"
   • "Popup time"="%character string%"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed: It searches for the following directories:
   • %PROGRAM FILES%\winmx\shared\
   • %PROGRAM FILES%\tesla\files\
   • %PROGRAM FILES%\limewire\shared\
   • %PROGRAM FILES%\morpheus\my shared folder\
   • %PROGRAM FILES%\emule\incoming\
   • %PROGRAM FILES%\edonkey2000\incoming\
   • %PROGRAM FILES%\bearshare\shared\
   • %PROGRAM FILES%\grokster\my grokster\
   • %PROGRAM FILES%\icq\shared folder\
   • %PROGRAM FILES%\kazaa lite k++\my shared folder\
   • %PROGRAM FILES%\kazaa lite\my shared folder\
   • %PROGRAM FILES%\kazaa\my shared folder\

   If successful, the following files are created:
   • DivX 5.0 Pro KeyGen.exe; Counter-Strike KeyGen.exe; IP Nuker.exe;
      Website Hacker.exe; Keylogger.exe; AOL Password Cracker.exe; ICQ
      Hacker.exe; AOL Instant Messenger (AIM) Hacker.exe; MSN Password
      Cracker.exe; Microsoft Visual Studio KeyGen.exe; Microsoft Visual
      Basic KeyGen.exe; Microsoft Visual C++ KeyGen.exe; Sub7 2.3
      Private.exe; sdbot with NetBIOS Spread.exe; L0pht 4.0 Windows Password
      Cracker.exe; Windows Password Cracker.exe; NetBIOS Cracker.exe;
      NetBIOS Hacker.exe; DCOM Exploit.exe; Norton Anti-Virus 2005
      Enterprise Crack.exe; Hotmail Cracker.exe; Hotmail Hacker.exe; Brutus
      FTP Cracker.exe; FTP Cracker.exe; Password Cracker.exe; Half-Life 2
      Downloader.exe; UT 2003 KeyGen.exe; Windows 2003 Advanced Server
      KeyGen.exe


 Injection It injects itself as a remote thread into a process.

    Process name:
   • explorer.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

설명 삽입자 Petre Galan   2010년 4월 8일 목요일
설명 업데이트 Petre Galan   2010년 4월 8일 목요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.