Threat behavior
Trojan:WinNT/Bubnix.L is a generic detection for a kernel-mode driver installed by other malware that hides its presence on an affected computer by blocking registry and file access to itself. The trojan may report its installation to a remote server, download and distribute spam email messages, and could download and execute arbitrary files.
Installation
The trojan may be present as a randomly named file with a service with the same name, as in the following example:
file name: %SystemRoot%\System32\drivers\gkcldzhg.sys
service name: "gkcldzhg"
The trojan creates a device name as "\Device\<GUID string>", as in the following example:
\Device\{2914E018-A52C-9C7D-A1BA-606512FF990B}
Trojan:WinNT/Bubnix.L injects and runs malicious code in the process "services.exe", and periodically rewrites its file to prevent removal. It also uses rootkit methods to hide its file and registry entries.
Payload
Downloads and executes arbitrary files
Trojan:WinNT/Bubnix.L contacts a remote server to report its installation on the affected computer. The trojan attempts to download and execute arbitrary files from a predefined web address such as "go-thailand-now.com".
Distributes spam
The trojan retrieves configuration data containing spam information from a remote server and attempts to distribute spam via servers listed in mail exchange (MX) records returned from following domains:
-
gmail.com
-
wikipedia.org
-
digg.com
-
google.com
-
youtube.com
Analysis by Scott Molenkamp & Shawn Wang
Prevention
