TrojanDownloader:Win32/Bulilit.A is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer.
creates the following files on an affected computer:
<system folder>\dx5.exe - detected as TrojanDownloader:Win32/Bulilit.A
c:\documents and settings\administrator\local settings\temp\is-46adc.tmp\is-tbi1h.tmp
c:\documents and settings\administrator\local settings\temp\is-dno7u.tmp\_iscrypt.dll
c:\documents and settings\administrator\local settings\temp\is-dno7u.tmp\_isetup\_shfoldr.dll
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The malware modifies the following registry entries to ensure <system folder>\dx5.exe executes at each Windows start:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: "RunmeAtStartup"
With data: "c:\windows\system32\dx5.exe"
Contacts remote host
TrojanDownloader:Win32/Bulilit.A may contact a remote host at a8d61.3bc6ad2ed.com using port 90. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 5579b1f2e874f0dd6cf49d6e94fc2cbf03d26bd0.