Home / malware Downloader.Busadom
First posted on 28 February 2015.
Source: SymantecAliases :
There are no other names known for Downloader.Busadom.
Explanation :
The Trojan may arrive through exploits that take advantage of the Adobe Flash Player Stack Based Buffer Overflow Vulnerability (CVE-2014-9163).
When the Trojan is executed, it creates the following files: %UserProfile%\Local Settings\Application Data\[RANDOM CHARACTERS].[RANDOM CHARACTERS]
The Trojan then creates the following registry entries to lower the computer's security settings: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"iad12s04-in-f22.1h100.net\http" = "0"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\"iad12s04-in-f22.1h100.net\https" = "0"
Next, the Trojan connects to the following remote locations: [http://]iad12s04-in-f22.1h100.net[REMOVED][http://]iad12s04-in-f22.1h100.net/init_pos[REMOVED]feedback.turkishairiine.com/feed/b.phpiad12s04-in-f22.1h100.net/irwravxrc/tra_q.php[http://]iad12s04-in-f22.1h100.net/pv.[REMOVED]
The Trojan may then perform the following actions: Download and execute filesGather system informationLast update 28 February 2015
