Home / malwarePDF  

Trojan:WinNT/Bubnix.I


First posted on 06 August 2010.
Source: SecurityHome

Aliases :

Trojan:WinNT/Bubnix.I is also known as Win-Trojan/Bubnix.845824 (AhnLab), W32/Rootkit.F.gen!Eldorado (Authentium (Comm, Rootkit.BUWH (Norman), Rootkit.Bubnix.BM (VirusBuster), TR/Rootkit.Gen (Avira), Rootkit.38270 (BitDefender), Trojan.NtRootKit.6990 (Dr.Web), Win32/Rootkit.Kryptik.BF (ESET), Gen.Rootkit (Ikarus), Rootkit/Bubnix.A (Panda), Hacktool.Rootkit (Symantec), TROJ_BUBNIX.SMA (Trend Micro).

Explanation :

Trojan:WinNT/Bubnix.I is a trojan that is downloaded and installed by other malware. It sends out spam email messages based on data received from a remote server.
Top

Trojan:WinNT/Bubnix.I is a trojan that is downloaded and installed by other malware. It is installed as a system driver. Trojan:WinNT/Bubnix.I sends out spam email messages. Installation Trojan:WinNT/Bubnix.I arrives as a packed and obfuscated file to prevent analysis. It is downloaded and installed by other malware as the following file:

  • <system folder>\drivers\<random file name>.sys
    • Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It hides its files and registry keys to avoid detection. Payload Injects code into a running process Trojan:WinNT/Bubnix.I injects code into the following process:
  • services.exe
    • It also periodically overwrites the process file, in effect rendering removal tools useless. Connects to a remote server Trojan:WinNT/Bubnix.I reports that it has been successfully installed on the computer by connecting to a remote server. Downloads and installs arbitrary files Trojan:WinNT/Bubnix.I downloads and executes other files from remote servers. Sends spam email messages Trojan:WinNT/Bubnix.I sends out spammed email messages using data received from a remote server. The messages are sent using servers listed in mail exchange (MX) records returned from the following domains:
  • digg.com
  • gmail.com
  • google.com
  • wikipedia.org
  • youtube.com


    • Analysis by Daniel Radu

    Last update 06 August 2010

     

    TOP

    Malware :

    Family: