arrow_back
search
close

WORM_BUZUS.EHM

October 07, 2012
 Analysis by: Marfel Tiamzon
 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type:

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  TECHNICAL DETAILS

Installation

This worm drops the following copies of itself into the affected system:

  • %Application Data%\SystemProc\lsass.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Windows\Profiles\{user name}\Application Data on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Application Data on Windows NT, and C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, XP, and Server 2003.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
RTHDBPL = %Application Data%\SystemProc\lsass.exe

  SOLUTION

Identifying the Grayware Files

Download the latest spyware pattern file and scan your computer. Note the path and file name of all files detected as WORM_BUZUS.EHM.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Restarting in Safe Mode

This grayware has characteristics that require the computer to be restarted in safe mode. Go to this page for instructions on how to restart your computer in safe mode.

Deleting the Grayware File(s)

  1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
  2. In the Named input box, type the name(s) of the file(s) detected earlier.
  3. In the Look In drop-down list, select My Computer, then press Enter.
  4. Once located, select the file then press SHIFT+DELETE.

*NOTE: This grayware is a file that may come with a main component detected by Trend Micro as another grayware. It may also be used by several variants of a certain grayware family. If your Trend Micro product detects another grayware on your system, refer to the manual removal instructions of that detected grayware.


Did this description help? Tell us how we did.