Virus Detail

Win32.Bube.A

Date Published:
24 Jan 2005

Last Updated:
7 Feb 2005

Threat Assessment

Overall Risk: Very Low

Wild: Low

Destructiveness: Medium

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: Trojan.Admincash (Symantec), Win32.BeavButt.A, Trojan-Downloader.Win32.Small.ahk (Kaspersky)

Immediate Protection Info

Signature	Product	Removal Instructions
11.x/8887	eTrust Antivirus v7/8* (Vet Engine)	View
6.1x/6027	eTrust EZ Antivirus 6.1x	View
6.2x/8887	eTrust EZ Antivirus 6.2x	View
6.3x/8887	eTrust EZ Antivirus 6.3x	View
6.4x/8887	eTrust EZ Antivirus 6.4x	View
7.x/8887	eTrust EZ Antivirus 7.x	View
10.6x/8887	Vet Anti-Virus 10.6x	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

For additional information:

Description

Win32.Bube.A is a trojan which modifies Explorer.exe in order to covertly receive commands from a specified website. It has been distributed as a 8,200-byte Win32 executable.

Method of Infection

When executed, Bube.A copies itself to %System%\soft.exe.

It then modifies the registry to ensure that this file is executed at each Windows start:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Web Service = "%System%\soft.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\Web Service =" %System%\soft.exe"
HKCU\Software\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}\StubPath = "%System%\soft.exe"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = "%System%\soft.exe"

Note: '%System%' and '%Windows%' are variable locations. The trojan determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

Payload

Modifies files

Bube terminates the process explorer.exe, modifies it, and then re-opens it. The trojan then overwrites the following copies of explorer.exe if they exist:

%Windows%\ServicePackFiles\i386\explorer.exe
%System%\dllcache\explorer.exe

Modifies Registry

The trojan alters the following registry value so as to disable System Restore, making the restoration of the file more difficult:

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR = 1

The trojan alters the following registry values associated with the Security Center in Windows XP Service Pack 2, setting them to zero:

HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

as well as disabling automatic updates by altering the following registry values:

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions

Backdoor Functionality

The trojan contacts a site on the www.admin2cash.biz domain in order to receive commands, probably concerned with downloading and installing adware and/or other trojans. This part of the payload is performed by the modified explorer.exe.