TrojanDownloader:Win32/Buzus.C is a trojan that downloads and executes arbitrary files from a remote web server with the IP address 126.96.36.199.
In the wild, this trojan has been observed to be distributed as the following file names:
When executed, TrojanDownloader:Win32/Buzus.C
creates a mutex named "
" to identify its presence in memory. The trojan decrypts its payload code at runtime and injects this code into a currently running process "svchost.exe
Downloads arbitrary files
Trojan:Win32/Buzus.C attempts to download and execute arbitrary files from the IP address 188.8.131.52 using TCP ports 80 and 443. At the time of this writing, the website and associated file are not available for review.
Analysis by Rex Plantado
The following system changes may indicate the presence of this malware: