Virus:Trojan-Spy.Win32.BZub.ji

Other versions: .ar , .jj

Detection added May 17 2007 07:45 GMT
Update released May 17 2007 09:35 GMT
Description added Jun 09 2007
Behavior TrojanSpy
Technical details

This Trojan is designed to steal confidential data. This Trojan is a Windows DLL file. The file is 67 776 bytes in size. It is not packed in any way. It is written in Visual C++.

Installation

This Trojan will be installed to the victim machine by other malicious programs.

Once launched, the Trojan will:

  • The Trojan adds the following object class: [HKLM\Software\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}] [HKLM\Software\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}] [HKLM\Software\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32] "<path to Trojan program>"
  • It registers the following Browser Helper Object: [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
  • It alters the configuration of Internet Explorer: [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ StandardProfile\AuthorizedApplications\List]
    "IEXPLORE.EXE" = "IEXPLORE.EXE:*:Enabled:Internet"
    [HKCU]\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
    [HKCU\Software\Internet Explorer\Main]
    "Enable Browser Extensions" = "yes"
  • It also creates the following key with installation parameters: [HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\load]
Payload

When Internet Explorer is launched, the Trojan will be launched automatically. Once launched, the Trojan searches for cached passwords. It also saves passwords entered by the user to a file called "form.txt".

The Trojan also creates a file called "info.txt" and save the following information to this file:

  • computer name
  • IP address
  • operating system
  • name of user account
  • data from Outlook
Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

  1. Close Internet Explorer.
  2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
  3. Delete the following parameters from the system registry (see What is a system registry and how do I use it for details on how to edit the registry):
    [HKLM\Software\Classes\AppID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
    [HKLM\Software\Classes\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {36DBC179-A19F-48F2-B16A-6A3E19B42A87}]
    [HKCU]\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\ {36DBC179-A19F-48F2-B16A-6A3E19B42A87}
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Control Panel\load]
  4. Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).
HOME