Win32/Fusing [Threat Name] go to Threat

Win32/Fusing.AJ [Threat Variant Name]

Category trojan
Size 73188 B
Detection created Dec 09, 2009
Detection database version 4674
Aliases Trojan-GameThief.Win32.Magania.cpml (Kaspersky)
  Trojan:Win32/Redosdru.K (Microsoft)
  PWS-Mmorpg!iw (McAfee)
Short description

Win32/Fusing.AJ installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following folder:

  • %systemdrive%\­Documents and Settings\­Local User

The folder may have the System (S) and Hidden (H) attributes set in attempt to hide the folder in Windows Explorer.


The following file is dropped into the %systemdrive%\Documents and Settings\Local User folder:

  • pcguard.dll (68131 B)

The pcguard.dll file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


The trojan registers itself as a system service using the following name:

  • MS Driver Management Service

The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost\­netsvcs]

It avoids processes which contain any of the following strings in their path:

  • 6to4
  • Ias
  • Iprip
  • Irmon

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "Type" = "%variable1%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "InstallModule" = "%variable2%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "Description" = "%string%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%\­Parameters]
    • "ServiceDll" = "%systemdrive%\­Documents and Settings\­Local User\­pcguard.dll"

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable1-2% . Variables %string% represent strings written in the Chinese language.


The trojan deletes the original file.

Other information

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of URLs. The TCP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files

The trojan launches the following processes:

  • iexplore.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.