Threat behavior
Trojan:WinNT/Bubnix.I is a trojan that is downloaded and installed by other malware. It is installed as a system driver.
Trojan:WinNT/Bubnix.I sends out spam email messages.
Installation
Trojan:WinNT/Bubnix.I arrives as a packed and obfuscated file to prevent analysis. It is downloaded and installed by other malware as the following file:
-
<system folder>\drivers\<random file name>.sys
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It hides its files and registry keys to avoid detection.
Payload
Injects code into a running process
Trojan:WinNT/Bubnix.I injects code into the following process:
It also periodically overwrites the process file, in effect rendering removal tools useless.
Connects to a remote server
Trojan:WinNT/Bubnix.I reports that it has been successfully installed on the computer by connecting to a remote server.
Downloads and installs arbitrary files
Trojan:WinNT/Bubnix.I downloads and executes other files from remote servers.
Sends spam email messages
Trojan:WinNT/Bubnix.I sends out spammed email messages using data received from a remote server. The messages are sent using servers listed in mail exchange (MX) records returned from the following domains:
-
digg.com
-
gmail.com
-
google.com
-
wikipedia.org
-
youtube.com
Analysis by Daniel Radu
Prevention