Trojan.Generic.26405547( Win32:VB-NPD, Trojan.Buzus.clys, FakeAlert-SafetyCenter.dldr, Win32/AutoRun.FakeAlert.AF )
TECHNICAL DESCRIPTION: The malware creates a copy of itself in " %ProgramFiles%\Microsoft Common\svchost.exe " . Creates the following registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" with the value "Debugger" set to "%ProgramFiles%\Microsoft Common\svchost.exe", which enables the malware as the default debugger. It sets the value "ProxyEnable" to 0 from the registry key "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ CurrentVersion\Internet Settings", disabling the proxy for IE. It also disables cookies, cache and history by altering the values in the following key : HKEY_USERS\.DEFAULT\Software\Microsoft\ Windows\CurrentVersion\Explorer\Shell Folder. It infects removable drives using an autorun.inf file pointing to a copy of itself renamed "system.exe". It connects to the IP [removed].170.177 for instructions. This address has been seen connected to the Zbot trojan.
Removal instructions: Please let BitDefender disinfect your files.ANALYZED BY: Daniel Chipiristeanu, virus researcher |
