Home / malwarePDF  

Worm:Win32/Buller.A


First posted on 28 April 2015.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Buller.A.

Explanation :

Threat behavior

Installation
This threat can create files on your PC, including:

  • %ALLUSERSPROFILE%\start menu\programs\startup\.exe
  • %SystemRoot%\apps\microsoft\applications\ms-office\ms-word\networking\internet\system32\tangocharle.exe
  • \lsass.exe
  • \1096\winlogon.exe
  • c:\drivers.exe
  • c:\programfiles.exe
  • c:\windows.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKLM\software\microsoft\windows nt\currentversion\winlogon
Sets value: "Shell"
With data: "%SystemRoot%\explorer.exe c:\windows\apps\microsoft\applications\ms-office\ms-word\networking\internet\system32\tangocharle.exe"
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "lsass"
With data: "\lsass.exe"


Spreads through...


Network and removable drives

This worm can spread by creating files on network or removable drives, such as USB flash drives. For example:

  • :\malware.dat.exe
  • :\mig33.exe
  • :\facebookpics.exe
  • :\djremixes.exe
  • :\donotlook.exe


Payload


It can stop some processes from running on your PC, including:

  • kav.exe


Bypasses firewall



This threat tries to bypass your firewall by modifying the registry. For example:

HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy

You might need to restore your Windows Firewall settings.



This malware description was published using automated analysis of file SHA1 1f9efe5c605d0633ee6cedb6342f4f7384fbd70a.

Symptoms

The following can indicate that you have this threat on your PC:

  • You see a file similar to:
    • %ALLUSERSPROFILE%\start menu\programs\startup\.exe
    • %SystemRoot%\apps\microsoft\applications\ms-office\ms-word\networking\internet\system32\tangocharle.exe
    • \lsass.exe
    • \1096\winlogon.exe
    • c:\drivers.exe
    • c:\programfiles.exe
    • c:\windows.exe
  • You see registry modifications such as:
    • In subkey: HKLM\software\microsoft\windows nt\currentversion\winlogon
      Sets value: "Shell"
      With data: "%SystemRoot%\explorer.exe c:\windows\apps\microsoft\applications\ms-office\ms-word\networking\internet\system32\tangocharle.exe"

    • In subkey: HKLM\software\microsoft\windows\currentversion\run
      Sets value: "lsass"
      With data: "\lsass.exe"

    • In subkey: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list
      Sets value: "\tlntsvr.exe"
      With data: "\tlntsvr.exe:*:enabled:iexplorer"

Last update 28 April 2015

 

TOP

Malware :

Family: