| Malware name | Trojan.Buzus.iij | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | F5EF2565D56D86D3DDBD8D39901BF882 | | Static file | yes | | Filesize | 10,240 Bytes | Alias names
(also known as) | | Sophos | Mal/Basine-A | | McAfee | MultiDropper-QL | | CA ETrust | Win32/Malum.CPQT |
| | Protection | | Webwasher Anti Malware | 7000.4159.x |
| | Side effects | - Registry modification
- Steals information
- Third party control
| | Propagation | No own spreading routine |
|
Description:
Files
It copies itself to the following location:
• %WINDIR%\temote.exe
It deletes the initially executed copy of itself.
Registry
The following registry keys are added in order to load the service after reboot:
– [HKLM\System\CurrentControlSet\Services\Fast Compatibi\ImagePath]
• "%WINDIR%\temote.exe"
Backdoor
Contact server: The following:
• xs12.3322.org:8000
As a result remote control capability is provided.
Injection
– It injects itself into a process.
Process name:
• svchost.exe
File details
Programming language:
The malware program was written in Delphi.
Runtime packer: In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
