Win32/Fusing [Threat Name] go to Threat

Win32/Fusing.AO [Threat Variant Name]

Category	trojan
Size	109056 B
Aliases	Backdoor.Win32.Torr.aun (Kaspersky)
	Trojan:Win32/Provis!rts (Microsoft)
	BackDoor-DVB.e (McAfee)

Win32/Fusing.AO installs a backdoor that can be controlled remotely.

When executed, the trojan creates the following files:

The trojan registers itself as a system service using the following name:

The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs]

It avoids processes which contain any of the following strings in their path:

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%servicename%]
- "Type" = "%variable1%"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%servicename%]
- "InstallModule" = "%variable2%"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%servicename%]
- "Description" = "Network address translation for virtual networks.If this service is stopped, protected content might not be down loaded to the device."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%servicename%\Parameters]
- "ServiceDll" = "%system%\twain_32.dll"

This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2% .

The trojan deletes the original file.

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of URLs. The TCP protocol is used.

It can execute the following operations:

The trojan may create the following files:

The %variable% represents a random number.

The following programs are terminated:

The trojan launches the following processes:

The trojan creates and runs a new thread with its own program code within the following processes: