Home / malwarePDF  

Downloader.Busadom.B


First posted on 04 February 2016.
Source: Symantec

Aliases :

There are no other names known for Downloader.Busadom.B.

Explanation :

Once executed, the Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"WinHelpSrv" = "[PATH OF EXECUTABLE COMPONENT]"
Note: The executbable component is used to side load a malicious .dll file.

The Trojan also creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelpSrv\"DisplayName" = "Windows Helper Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelpSrv\"Description" = "This is windows helper service. Include windows update and windows error"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHelpSrv\Parameters\"ServiceDll" = "[PATH OF DLL]"
Next, the Trojan connects to one or more of the following remote locations over TCP ports 443 and 80 respectfully:
[http://]www.microsoft-cache.com[http://]106.185.43.96

The Trojan gathers the following information from the compromised computer and sends it to one or more of the remote locations:
Host nameUser nameOperating system build number and architectureIP addressLocale informationTotal RAMMonitor resolutionProcessor information
The Trojan may then download potentially malicious files from one or more of the remote locations.

Last update 04 February 2016

 

TOP