Win32/Bubnix [Threat Name] go to Threat
Win32/Bubnix.AA [Threat Variant Name]
Available cleaner [Download Bubnix Cleaner ]
Category | trojan |
Size | 1048576 B |
Aliases | Rootkit.Win32.Agent.berb (Kaspersky) |
Trojan:WinNT/Bubnix.gen!A (Microsoft) | |
Hacktool.Rootkit (Symantec) |
Short description
Win32/Bubnix.AA is a trojan that is used for spam distribution. It uses techniques common for rootkits. The file is run-time compressed using VMProtect .
Installation
The trojan is usually a part of other malware.
The trojan does not create any copies of itself.
The trojan creates and runs a new thread with its own program code within the following processes:
- services.exe
The trojan keeps various information in the following Registry key:
- [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\%servicename%]
- "%variable%" = %data%
A string with variable content is used instead of %variable% .
Spam distribution
Win32/Bubnix.AA is a trojan that is used for spam distribution.
The message depends entirely on data the trojan downloads from the Internet.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of IP addresses. The trojan generates various URL addresses.
It may perform the following actions:
- download files from a remote computer and/or the Internet
- run executable files
- send spam
The trojan checks for Internet connectivity by trying to connect to the following servers:
- amazon.com
- aol.com
- digg.com
- facebook.com
- flickr.com
- google.com
- gmail.com
- hotmail.com
- microsoft.com
- mozilla.org
- msn.com
- slashdot.org
- wikipedia.org
- yahoo.com
- youtube.com
The trojan hides its presence in the system. It uses techniques common for rootkits.