Win32/Bundpil [Threat Name] go to Threat
Win32/Bundpil.A [Threat Variant Name]
Category | worm |
Size | 160256 B |
Aliases | Trojan.Win32.Jorik.Androm.bme (Kaspersky) |
Worm:Win32/Gamarue.I (Microsoft) |
Win32/Bundpil.A is a worm that spreads via removable media.
Installation
When executed, the worm creates one of the following files:
- %temp%\$MSI\~msiexec.exe (37376 B, Win32/TrojanDownloader.Wauchos.A)
- %userprofile%\%variable%.exe (37376 B, Win32/TrojanDownloader.Wauchos.A)
- %allusersprofile%\Local Settings\Temp\%variable%.exe (37376 B, Win32/TrojanDownloader.Wauchos.A)
A string with variable content is used instead of %variable% .
The file is then executed.
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "ShowSuperHidden" = 0
- "Hidden" = 2
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft]
- "0022FF03" = %binarydata% (42080 B)
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft]
- "0022FF03" = %binarydata% (42080 B)
- [HKEY_CURRENT_USER\SOFTWARE]
- "e_magic" = %binarydata% (124928 B)
The worm launches the following processes:
- %originalmalwarefilepath%
The worm creates and runs a new thread with its own code within these running processes.
Spreading on removable media
Win32/Bundpil.A is a worm that spreads via removable media.
The worm creates the following files:
- %removabledrive%\ \desktop.ini (126 B)
- %removabledrive%\~$W%variable%.USBDrv (53760 B, Win32/Bundpil.A)
- %removabledrive%\desktop.ini (1888 B, Win32/Bundpil.A)
- %removabledrive%\Thumbs.db
A string with variable content is used instead of %variable% .
The worm creates the following files:
- %removabledrive%\%drivename% (%drivesize%GB).lnk
- %removabledrive%\My Removable Device.lnk
These are shortcuts to files of the worm .
The worm searches for files and folders on removable drives.
It avoids drives which contain any of the following folders:
- DCIM
- Windows
The worm may delete the following folders:
- *Backup.*
The worm attempts to delete the following files:
- %existingfoldername%.exe
- %existingfoldername%.vbs
- %existingfoldername%.pif
- %existingfoldername%.cmd
- *~$W*
- *~DATA*
- *~W144*
- *pill_*
- *Backup.*
- *blue_*
- *.INF
- *.LNK
- *.INI
- LaunchU3.exe
- Thumbs.db
The worm creates the following folders:
- %removabledrive%\\
The worm moves the content of the following folders (source, destination):
- %removabledrive%\%folder%, %removabledrive%\\%folder%
The worm moves the following files (source, destination):
- %removabledrive%\%file%, %removabledrive%\\%file%
Other information
The worm contains a URL address.
It tries to download several files from the address.
These are stored in the following locations:
- %temp%\%variable%.tmp
- %drive%:\Thumbs.db
- C:\Temp\TrustedInstaller.exe
The files are then executed. The HTTP protocol is used.
A string with variable content is used instead of %variable% .