Home / malware Trojan.Generic.26405547
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Generic.26405547 is also known as Win32:VB-NPD, Trojan.Buzus.clys, FakeAlert-SafetyCenter.dldr, Win32/AutoRun.FakeAlert.AF.
Explanation :
The malware creates a copy of itself in " %ProgramFiles%Microsoft Commonsvchost.exe " .Creates the following registry key "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsexplorer.exe" with the value "Debugger" set to "%ProgramFiles%Microsoft Commonsvchost.exe", which enables the malware as the default debugger. It sets the value "ProxyEnable" to 0 from the registry key "HKEY_USERS.DEFAULTSoftwareMicrosoftWindows CurrentVersionInternet Settings", disabling the proxy for IE.It also disables cookies, cache and history by altering the values in the following key : HKEY_USERS.DEFAULTSoftwareMicrosoft WindowsCurrentVersionExplorerShell Folder.It infects removable drives using an autorun.inf file pointing to a copy of itself renamed "system.exe".
It connects to the IP [removed].170.177 for instructions. This address has been seen connected to the Zbot trojan.Last update 21 November 2011
