Win32/Butileg [Threat Name] go to Threat

Win32/Butileg.G [Threat Variant Name]

Category virus,worm
Size 6508 B
Detection created May 25, 2007
Detection database version 2291
Aliases Worm.Win32.Butileg.b (Kaspersky)
  W32.Fubalca.D (Symantec)
  Trojan.Downloader.Fubalca.A (BitDefender)
Short description

Win32/Butileg.G is a worm that spreads via removable media. The worm infects executable files. The worm tries to download and execute several files from the Internet. The file is run-time compressed using UPack .

Installation

When executed the worm copies itself in the following locations:

  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­msosv.exe
  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­msosvext.exe

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Hello World]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­MSOSV.EXE"
    • "DisplayName" = "lÖÓnÍrͨN¶Đ­Né"
    • "ObjectName" = "LocalSystem"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • game.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Executable file infection

The worm searches local and network drives for files with one of the following extensions:

  • .exe

The worm infects the files by inserting its code at the beginning of the original program.


When an infected file is executed, the original program is being dropped into a temporary file and run.


The name of the temporary file is:

  • Run_TempA.exe

It avoids files with the following filenames:

  • xyqplayer.exe
  • XY1Update.exe
  • XY1Patch.exe
  • gpatch.exe
  • WowError.exe
  • BackgroundDownloader.exe
  • Repair.exe
  • WoW.exe
  • soul.exe
  • AutoPatch.exe
  • Client.exe
  • elementclient.exe
  • uninstall.exe
  • ztconfig.exe
  • patchupdate.exe
  • VMPFULL_TENCENT.EXE
  • uninst000.exe
  • Timwp.exe
  • TIMPlatform.exe
  • QQLIVEUPDATE.EXE
  • QQPLAYERSVR.EXE
  • MAGICFLASH.EXE
  • ShowIP.exe
  • QQ3DAVPLAYER.EXE
  • QZONESUPPORT.EXE
  • SUN.exe
  • Sungame.exe
  • WzVoiceClient.exe
  • AutoUpdate.exe
  • DBFSupdate.exe
  • Play.exe
Other information

The worm may create copies of the following files (source, destination):

  • %system%\­notepad.exe, %windir%\­svchost.exe

The worm launches the following processes:

  • iexplore.exe
  • %windir%\­svchost.exe

The worm creates and runs a new thread with its own code within these running processes.


The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:

  • 127.0.0.1      localhost
  • 127.0.0.1      mmm.caifu18.net
  • 127.0.0.1      www.18dmm.com
  • 127.0.0.1      d.qbbd.com
  • 127.0.0.1      www.5117music.com
  • 127.0.0.1      www.union123.com
  • 127.0.0.1      www.wu7x.cn
  • 127.0.0.1      www.54699.com
  • 127.0.0.1      www1.6tan.com
  • 127.0.0.1      www2.6tan.com
  • 127.0.0.1      www.97725.com
  • 127.0.0.1      down.97725.com
  • 127.0.0.1      ip.315hack.com
  • 127.0.0.1      ip.54liumang.com
  • 127.0.0.1      www.41ip.com
  • 127.0.0.1      xulao.com
  • 127.0.0.1      www.heixiou.com
  • 127.0.0.1      www.9cyy.com
  • 127.0.0.1      www.hunll.com
  • 127.0.0.1      www.down.hunll.com
  • 127.0.0.1      do.77276.com
  • 127.0.0.1      www.baidulink.com
  • 127.0.0.1      adnx.yygou.cn
  • 127.0.0.1      222.73.220.45
  • 127.0.0.1      www.f5game.com
  • 127.0.0.1      www.guazhan.cn
  • 127.0.0.1      wm,103715.com
  • 127.0.0.1      www.my6688.cn
  • 127.0.0.1      i.96981.com
  • 127.0.0.1      d.77276.com
  • 127.0.0.1      www1.cw988.cn
  • 127.0.0.1      cool.47555.com
  • 127.0.0.1      www.asdwc.com
  • 127.0.0.1      55880.cn
  • 127.0.0.1      61.152.169.234
  • 127.0.0.1      cc.wzxqy.com
  • 127.0.0.1      www.54699.com
  • 127.0.0.1      t.gcuj.com
  • 127.0.0.1      www.puma163.com
  • 127.0.0.1      ceoww.com
  • 127.0.0.1      boolom.com
  • 127.0.0.1      adult-novel.cn
  • 127.0.0.1      ll.chinasese.net
  • 127.0.0.1      www.tellumore.com
  • 127.0.0.1      www.o1wg.com
  • 127.0.0.1      www.qq756.com
  • 127.0.0.1      ll.chinasese.net
  • 127.0.0.1      cool.47555.com

The worm tries to download and execute several files from the Internet.


These are stored in the following locations:

  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­shift.ini
  • %windir%\­error.ini
  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­package.tmp
  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­MSOSV_TMP.EXE
  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­SVCHOST.EXE
  • C:\­Program Files\­Common Files\­Microsoft Shared\­Web Folders\­Temp%variable%.exe

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.