Home / malware

PDF

Trojan.Buzus.DL

First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Trojan.Buzus.DL.

Explanation :

This trojan contains 2 components:
- the main executable, written in Delphi
- the secondary executable, written in VC, that resides packed inside the resource section of the main executable
When exected, the main program (125440 B) will first launch another copy of itself into execution. The second instance will
unpack the code portion located inside the .rsrc section and will inject it inside its own virtual-memory space and then inside Explorer.exe, create a remote-thread running inside this process and make a new copy of itself in Recycler[DIR-NAME]frss.exe (where [DIR-NAME] will have a structure similar to S-1-5-21-1582865268-5844291516-424947749-0960, for example). It will also create a Desktop.ini file in the directories where he made copies of himself, in order to make the trojan's file invisible (when infected directories will be accesed from Explorer, the contents of similar directories from Recycler will be displayed, but not the trojan file). It is the responsability of the injected code from now on to make sure it will infect USB devices via the autorun.inf trick (will make copies of itself under the name "usbcheck.exe" or inside recycler, making a copy similar to the one described above).

Last update 21 November 2011

 

TOP