Win32/Fusing [Threat Name] go to Threat

Win32/Fusing.AO [Threat Variant Name]

Category trojan
Size 109056 B
Aliases Backdoor.Win32.Torr.aun (Kaspersky)
  Trojan:Win32/Provis!rts (Microsoft)
  BackDoor-DVB.e (McAfee)
Short description

Win32/Fusing.AO installs a backdoor that can be controlled remotely.


When executed, the trojan creates the following files:

  • %system%\­twain_32.dll (43813 B)

The trojan registers itself as a system service using the following name:

  • VMservices

The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Svchost\­netsvcs]

It avoids processes which contain any of the following strings in their path:

  • 6to4
  • Ias
  • Iprip
  • Irmon

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "Type" = "%variable1%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "InstallModule" = "%variable2%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%]
    • "Description" = "Network address translation for virtual networks.If this service is stopped, protected content might not be down loaded to the device."
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­%servicename%\­Parameters]
    • "ServiceDll" = "%system%\­twain_32.dll"

This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2% .

The trojan deletes the original file.

Other information

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of URLs. The TCP protocol is used.

It can execute the following operations:

  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files

The trojan may create the following files:

  • %temp%\­%variable%_res.tmp (43813 B)

The %variable% represents a random number.

The following programs are terminated:

  • KVMonXP.kxp

The trojan launches the following processes:

  • iexplore.exe

The trojan creates and runs a new thread with its own program code within the following processes:

  • winlogon.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.