Follow:

 

TrojanDownloader:Win32/Bubnix.A


TrojanDownloader:Win32/Bubnix.A is a trojan that downloads and executes other malware.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

TrojanDownloader:Win32/Bubnix.A is a trojan that downloads and executes other malware.
Installation
TrojanDownloader:Win32/Bubnix.A may be downloaded or dropped by other malware. It drops a copy of itself in the Windows Temporary Files folder using a randomly-generated file name. To prevent several instances of itself from running in memory, it generates pseudo-randomly named mutexes and events.
Payload
Downloads other malware
TrojanDownloader:Win32/Bubnix.A attempts to connect and download a rootkit trojan from the any of the following IP addresses:
 
  • 69.4.230.76
  • 208.101.27.44
  • 74.86.210.134
 
In the wild, this trojan has been known to download Trojan:WinNT/Bubnix.gen!A.
 
If the download is successful, it drops the downloaded rootkit as "<system folder>\driver\<random>.sys". It then registers the rootkit as a kernel driver service with the name "Boot Bus Extender".
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
Analysis by Rodel Finones

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.71.1161.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 21, 2009
This entry was first published on: Jan 11, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Packed.Win32.Krap.xq (Kaspersky)
  • TR/Agent.X.407 (Avira)
  • Trojan.Downloader.Bredolab.BU (BitDefender)
  • Win32/Agent.QMR (ESET)
  • Bredolab.gen.l (McAfee)
  • TROJ_BUBNIX.B (Trend Micro)