(Win32:VB-NPD, Trojan.Buzus.clys, FakeAlert-SafetyCenter.dldr, Win32/AutoRun.FakeAlert.AF)
Symptoms
Presence of the following file : " %ProgramFiles%\Microsoft Common\svchost.exe " .
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Daniel Chipiristeanu, virus researcher
Technical Description:
The malware creates a copy of itself in " %ProgramFiles%\Microsoft Common\svchost.exe " .
Creates the following registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" with the value "Debugger" set to "%ProgramFiles%\Microsoft Common\svchost.exe", which enables the malware as the default debugger. It sets the value "ProxyEnable" to 0 from the registry key "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ CurrentVersion\Internet Settings", disabling the proxy for IE.
It also disables cookies, cache and history by altering the values in the following key : HKEY_USERS\.DEFAULT\Software\Microsoft\ Windows\CurrentVersion\Explorer\Shell Folder.
It infects removable drives using an autorun.inf file pointing to a copy of itself renamed "system.exe".
It connects to the IP [removed].170.177 for instructions. This address has been seen connected to the Zbot trojan.
SHARE
THIS ON