Win32/Bubnix [Threat Name] go to Threat

Win32/Bubnix.AA [Threat Variant Name]

Available cleaner [Download Bubnix Cleaner ]

Category trojan
Size 1048576 B
Detection created Apr 15, 2010
Signature database version 5032
Aliases Rootkit.Win32.Agent.berb (Kaspersky)
  Trojan:WinNT/Bubnix.gen!A (Microsoft)
  Hacktool.Rootkit (Symantec)
Short description

Win32/Bubnix.AA is a trojan that is used for spam distribution. It uses techniques common for rootkits. The file is run-time compressed using VMProtect .

Installation

The trojan is usually a part of other malware.


The trojan does not create any copies of itself.


The trojan creates and runs a new thread with its own program code within the following processes:

  • services.exe

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­%servicename%]
    • "%variable%" = %data%

A string with variable content is used instead of %variable% .

Spam distribution

Win32/Bubnix.AA is a trojan that is used for spam distribution.


The message depends entirely on data the trojan downloads from the Internet.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of IP addresses. The trojan generates various URL addresses.


It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • amazon.com
  • aol.com
  • digg.com
  • facebook.com
  • flickr.com
  • google.com
  • gmail.com
  • hotmail.com
  • microsoft.com
  • mozilla.org
  • msn.com
  • slashdot.org
  • wikipedia.org
  • yahoo.com
  • youtube.com

The trojan hides its presence in the system. It uses techniques common for rootkits.

Please enable Javascript to ensure correct displaying of this content and refresh this page.