Threat behavior
TrojanSpy:Win32/Bzub.GB installs a Web Browser Helper Object (BHO) that monitors typed logon credentials for accessed Web sites. The Trojan BHO is identified as TrojanSpy:Win32/Bzub.GB.dll.
Installation
If run, Win32/Bzub.GB installs a Trojan BHO into the Windows system folder. An existing DLL on the system is first selected at random (for example dmconf.dll). Next, the Trojan writes the BHO with the same file name as the selected DLL, but with either a random letter appended, or the last letter removed (for example dmconfi.dll or dmcon.dll).
The Trojan registers the dropped BHO to run when the default Web browser is run, by creating keys in the registry, as in this example:
Adds value: (default)
With data: <system folder>\comrep.dll
In subkey: HKEY_CLASSES_ROOT\SOFTWARE\Classes\CLSID\
{B4EB0A3C-FDCE-47A8-82CF-6EBEA5FB2BEA}\InprocServer32
The Trojan creates other registry values with data within the HKEY_LOCAL_MACHINE hive, as in this example:
Adds value: bf
With data: <binary data>
Adds value: bk
With data: <binary data>
Adds value: iu
With data: <binary data>
In subkey: ..\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings
Lastly, the Trojan installer deletes itself.
Payload
Monitors Sensitive User Input
When Internet Explorer runs, the DLL is loaded within IE as a BHO - it then monitors user-entered URLs and web form data.
Additional Information
This Trojan attempts to delete a security product value "SpybotSD TeaTimer" from the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run.
Prevention
