Win32/Buroonux [Threat Name] go to Threat

Win32/Buroonux.M [Threat Variant Name]

Category trojan
Size 57344 B
Detection created Jan 22, 2015
Detection database version 11058
Short description

The trojan serves as a backdoor. It can be controlled remotely. The trojan is probably a part of other malware.


When executed the trojan copies itself in the following locations:

  • %commonappdata%\­Microsoft\­Windows\­LiveUpdata_Mem\­_Fire.dll
  • %commonappdata%\­Microsoft\­Windows\­LiveUpdata_Mem\­CrtRunTime.log
  • %commonappdata%\­Microsoft\­Windows\­Burn\­%computername%.dll
  • %systemdrive%\­Program Files\­Internet Explorer\­ws2_32.dll

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "%computername%" = "%system%\­rundll32.exe %commonappdata%\­Microsoft\­Windows\­Burn\­%computername% ServiceMain"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "explorer.exe, %system%\­rundll32.exe %commonappdata%\­Microsoft\­Windows\­Burn\­%computername% ServiceMain"

The following files may be dropped:

  • %commonappdata%\­Microsoft\­Windows\­Proe.t
  • %commonappdata%\­Microsoft\­Windows\­Prod.t
  • %commonappdata%\­Microsoft\­Windows\­Burn\­~x.bmp
  • %commonappdata%\­Microsoft\­Windows\­Exit.log

The trojan keeps various information in the following files:

  • %malware_filepath%c
  • %common_appdata%\­Microsoft\­Windows\­Burn\­~x.bmp

The files contain the program code of the malware.

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows Media]
    • "XC" = %binaryvalue%

After the installation is complete, the trojan deletes the original executable file.

Other information

The trojan behaves differently if it detects a running process containing one of the following strings in its name:

  • avp.exe
  • avpui.exe
  • ccsvchst.exe
  • nis.exe
  • uiseagnt.exe
  • uiwatchdog.exe

The trojan may execute the following files:

  • %system%\­rundll32.exe %commonappdata%\­Microsoft\­Windows\­LiveUpdata_Mem\­CrtRunTime.log #501
  • %systemdrive%\­Program Files\­Internet Explorer\­iexplore.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address.

It tries to download a file from the address.

The file is stored in the following location:

  • %commonappdata%\­Microsoft\­Windows\­Burn\­_%computername%.log

The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.