Threat behavior
TrojanDownloader:Win32/Buzus.C is a trojan that downloads and executes arbitrary files from a remote web server with the IP address 203.179.145.2.
Installation
In the wild, this trojan has been observed to be distributed as the following file names:
-
WindowsXP-KB932823-v3-x86-CHT.exe
-
WindowsXP-KB950974-x86-CHT.exe
-
adobesecurityupdate.exe
When executed, TrojanDownloader:Win32/Buzus.C creates a mutex named "
" to identify its presence in memory. The trojan decrypts its payload code at runtime and injects this code into a currently running process "
svchost.exe".
Payload
Downloads arbitrary files
Trojan:Win32/Buzus.C attempts to download and execute arbitrary files from the IP address 203.179.145.2 using TCP ports 80 and 443. At the time of this writing, the website and associated file are not available for review.
Analysis by Rex Plantado
Prevention