Threat behavior
Trojan:WinNT/Bubnix.D is a kernel mode trojan that masks its presence on an affected computer by blocking registry and file access to itself. The trojan may report its installation to a remote server and download and execute arbitrary files.
Installation
Trojan:WinNT/Bubnix.D may be installed by other malware such as
TrojanDownloader:Win32/Bubnix.A. The trojan may be present as a randomly named file with a service with the same name, as in the following example:
file name: <%SystemRoot%>\System32\drivers\xjnjal.sys
service name: "xjnjal"
The trojan creates a device name as "\Device\<GUID string>" as in the following example:
\Device\{2914E018-A52C-9C7D-A1BA-606512FF990B}
Trojan:WinNT/Bubnix.D injects and runs malicious code in the process "services.exe" and periodically rewrites its file to prevent removal. It also uses rootkit methods to hide its file and registry entries.
Payload
Downloads and executes arbitrary files
Trojan:WinNT/Bubnix.D contacts a remote server to report its installation on the affected computer. The trojan attempts to download and execute arbitrary files from the IP address "96.0.203.82".
Analysis by Shawn Wang
Prevention