Win32/Bundpil [Threat Name] go to Threat

Win32/Bundpil.A [Threat Variant Name]

Category worm
Size 160256 B
Detection created Jan 10, 2013
Signature database version 7879
Aliases Trojan.Win32.Jorik.Androm.bme (Kaspersky)
  Worm:Win32/Gamarue.I (Microsoft)

Win32/Bundpil.A is a worm that spreads via removable media.

Installation

When executed, the worm creates one of the following files:

  • %temp%\­$MSI\­~msiexec.exe (37376 B, Win32/TrojanDownloader.Wauchos.A)
  • %userprofile%\­%variable%.exe (37376 B, Win32/TrojanDownloader.Wauchos.A)
  • %allusersprofile%\­Local Settings\­Temp\­%variable%.exe (37376 B, Win32/TrojanDownloader.Wauchos.A)

A string with variable content is used instead of %variable% .


The file is then executed.


The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
    • "Hidden" = 2
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft]
    • "0022FF03" = %binarydata% (42080 B)
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft]
    • "0022FF03" = %binarydata% (42080 B)
  • [HKEY_CURRENT_USER\­SOFTWARE]
    • "e_magic" = %binarydata% (124928 B)

The worm launches the following processes:

  • %originalmalwarefilepath%

The worm creates and runs a new thread with its own code within these running processes.

Spreading on removable media

Win32/Bundpil.A is a worm that spreads via removable media.


The worm creates the following files:

  • %removabledrive%\­ \­desktop.ini (126 B)
  • %removabledrive%\­~$W%variable%.USBDrv (53760 B, Win32/Bundpil.A)
  • %removabledrive%\­desktop.ini (1888 B, Win32/Bundpil.A)
  • %removabledrive%\­Thumbs.db

A string with variable content is used instead of %variable% .


The worm creates the following files:

  • %removabledrive%\­%drivename% (%drivesize%GB).lnk
  • %removabledrive%\­My Removable Device.lnk

These are shortcuts to files of the worm .


The worm searches for files and folders on removable drives.


It avoids drives which contain any of the following folders:

  • DCIM
  • Windows

The worm may delete the following folders:

  • *Backup.*

The worm attempts to delete the following files:

  • %existingfoldername%.exe
  • %existingfoldername%.vbs
  • %existingfoldername%.pif
  • %existingfoldername%.cmd
  • *~$W*
  • *~DATA*
  • *~W144*
  • *pill_*
  • *Backup.*
  • *blue_*
  • *.INF
  • *.LNK
  • *.INI
  • LaunchU3.exe
  • Thumbs.db

The worm creates the following folders:

  • %removabledrive%\­\­

The worm moves the content of the following folders (source, destination):

  • %removabledrive%\­%folder%, %removabledrive%\­\­%folder%

The worm moves the following files (source, destination):

  • %removabledrive%\­%file%, %removabledrive%\­\­%file%
Other information

The worm contains a URL address.


It tries to download several files from the address.


These are stored in the following locations:

  • %temp%\­%variable%.tmp
  • %drive%:\­Thumbs.db
  • C:\­Temp\­TrustedInstaller.exe

The files are then executed. The HTTP protocol is used.


A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.