Home / malwarePDF  

TrojanDownloader:Win32/Bulilit.A


First posted on 29 October 2010.
Source: SecurityHome

Aliases :

TrojanDownloader:Win32/Bulilit.A is also known as Trojan.Win32.Swisyn.aiub (Kaspersky).

Explanation :

TrojanDownloader:Win32/Bulilit.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer.
Top

TrojanDownloader:Win32/Bulilit.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer. Installation TrojanDownloader:Win32/Bulilit.A creates the following files on an affected computer:

  • <system folder>\dx5.exe - detected as TrojanDownloader:Win32/Bulilit.A
  • <system folder>\xvhost.sb
  • c:\rec.bat
  • c:\documents and settings\administrator\local settings\temp\svchost.exe - detected as Trojan:Win32/Killav.FA
  • c:\documents and settings\administrator\local settings\temp\is-46adc.tmp\is-tbi1h.tmp
  • c:\documents and settings\administrator\local settings\temp\is-dno7u.tmp\_iscrypt.dll
  • c:\documents and settings\administrator\local settings\temp\is-dno7u.tmp\_isetup\_shfoldr.dll

    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
    The malware modifies the following registry entries to ensure <system folder>\dx5.exe executes at each Windows start:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Adds value: "RunmeAtStartup"
    With data: "c:\windows\system32\dx5.exe"
    Payload Contacts remote host TrojanDownloader:Win32/Bulilit.A may contact a remote host at a8d61.3bc6ad2ed.com using port 90. Commonly, malware may contact a remote host for the following purposes:
    • To report a new infection to its author
    • To receive configuration or other data
    • To download and execute arbitrary files (including updates or additional malware)
    • To receive instruction from a remote attacker
    • To upload data taken from the affected computer

    This malware description was produced and published using our automated analysis system's examination of file SHA1 5579b1f2e874f0dd6cf49d6e94fc2cbf03d26bd0.

    Last update 29 October 2010

     

    TOP

    Malware :

    Family: