My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


aprox 50 kb
(Win32:VB-NPD, Trojan.Buzus.clys, FakeAlert-SafetyCenter.dldr, Win32/AutoRun.FakeAlert.AF)


Presence of the following file : " %ProgramFiles%\Microsoft Common\svchost.exe " .

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Chipiristeanu, virus researcher

Technical Description:

The malware creates a copy of itself in " %ProgramFiles%\Microsoft Common\svchost.exe " .
Creates the following registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" with the value "Debugger" set to "%ProgramFiles%\Microsoft Common\svchost.exe", which enables the malware as the default debugger. It sets the value "ProxyEnable" to 0 from the registry key "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ CurrentVersion\Internet Settings", disabling the proxy for IE.
It also disables cookies, cache and history by altering the values in the following key : HKEY_USERS\.DEFAULT\Software\Microsoft\ Windows\CurrentVersion\Explorer\Shell Folder.
It infects removable drives using an autorun.inf file pointing to a copy of itself renamed "system.exe".

It connects to the IP [removed].170.177 for instructions. This address has been seen connected to the Zbot trojan.