Follow:

 

Trojan:Win32/Bube.G


Trojan:Win32/Bube.G is a Trojan that lowers security settings stored in the registry, attempts to download programs from a remote Web site and disables features in the Windows Security Center.


What to do now

To recover manually from infection by Trojan:Win32/Bube.G, perform the following steps:
  • Disconnect from the Internet.
  • Restart the computer in safe mode.
  • End the Trojan process.
  • Delete the Trojan files from your computer.
  • Delete the Trojan registry entry.
  • Restart the computer. 
  • Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Restart the computer in safe mode

To start your computer in safe mode
  1. Remove all floppy disks and CDs from your computer, and then restart your computer.
  2. When prompted, press F8. If Windows starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows displays graphical output.
  3. From the Windows Advanced Options Menu, select a safe mode option.

End the Trojan process

Ending the Trojan process will help stop your computer from infecting other computers and resolve the crashing, rebooting, and performance degradation issues caused by the Trojan.
To end the Trojan process
  1. Press CTRL+ALT+DEL once and click Task Manager
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Select the Trojan process 'msoffice.exe' and click End Process.

Delete the Trojan files from your computer

To delete the Trojan files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type <system folder>, for example, C:\Windows\System32
  3. Click OK.
  4. Click Name to sort files by name.
  5. Delete msoffice.exe from the <system folder>
  6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes to confirm the deletion.
If deleting the file fails, use the following steps to verify that the file is not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that the file 'msoffice.exe' is not in the list:

Delete the Trojan registry entry

To delete the Trojan registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, right-click the following value, if it exists: WebRun
  5. Click Delete and click Yes to delete the value.
  6. In the left pane, navigate to the key:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
  7. In the right pane, right-click the following value, if it exists: Run
  8. Click Delete and click Yes to delete the value.
  9. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  10. In the right pane, right-click the following value, if it exists: WebRun
  11. Click Delete and click Yes to delete the value.
  12. Close the Registry Editor.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

Threat behavior

Trojan:Win32/Bube.G is a Trojan that lowers security settings stored in the registry, attempts to download programs from a remote Web site and disables features in the Windows Security Center.
 
When Trojan:Win32/Bube.G is first run, it takes the following actions:
 
Drops a copy of itself into the Windows system folder as "msoffice.exe"
Modifies the registry to run this copy of itself each time Windows starts:
 
Adds value: WebRun
With data: <system folder>\msoffice.exe
To subkeys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
 
Adds value: Run
With data: <system folder>\msoffice.exe
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 
Disables notification by the Windows Security Center that the Windows Firewall is not enabled:
Modifies value: FirewallDisableNotify
With data: 1
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
In subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center
 
Disables Windows Automatic Updates, disables changes to Automatic Update options, and turns off notifications that updates are available for Windows:
 
Changes value: NoAutoUpdate
With data: 1
To subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
To subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
 
Changes value: AUOptions
With data: 1
To subkey: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
To subkey: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
 
Changes value: UpdatesDisableNotify
With data: 1
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
To subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center
 
Disables notification by the Windows Security Center that any installed antivirus software is disabled:
 
Changes value: AntiVirusDisableNotify
With data: 1
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
To subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center
 
Disables the ability to make changes to the Windows Firewall settings:
 
Changes value: EnableFirewall
With data: 1
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
To subkey: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
 
Changes value: EnableFirewall
With data: 1
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
To subkey: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
 
Attempts to download a self-instruction file "command.ini" from a remote Web site. The downloaded file may include any of the following commands:
 
Modify or add registry keys or values
Delete registry keys or values
Launch Internet Explorer and visit a specified URL
Run Explorer.exe with specified parameters
Modify the Internet Explorer start page
Download and execute files from a specified remote Web site

Symptoms

The following symptoms may be indication of a Trojan:Win32/Bube.G infection:
 
Presence of file "msoffice.exe" in the Windows system folder.
 
Presence of the following registry modifications:
 
Value: WebRun = <system folder>\msoffice.exe
In subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
 
Value: Run = <system folder>\msoffice.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
 
Other symptoms may include:
  • Windows Security Center icon is missing from the Windows system tray.
  • Automatic Updates options are grayed out and Turn off Automatic Updates option is selected.
  • Windows Firewall options are grayed out

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 20, 2005
This entry was updated on: May 14, 2007

This threat is also detected as:
  • Virus.Win32.Bube.k (Kaspersky)
  • Troj/Bube-K (Sophos)
  • TROJ_BUBE.E (Trend Micro)