TROJ_BUBLIK.JG

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Arrival Details

This Trojan arrives as an attachment to email messages spammed by other malware/grayware or malicious users.

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops and executes the following files:

• "%System%\{random filename}.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It injects threads into the following normal process(es):

• thebat.exe
• msimn.exe
• iexplore.exe
• explorer.exe
• myie.exe
• firefox.exe
• mozilla.exe
• avant.exe
• maxthon.exe
• OUTLOOK.EXE
• ftpte.exe
• coreftp.exe
• filezilla.exe
• TOTALCMD.EXE
• cftp.exe
• FTPVoyager.exe
• SmartFTP.exe
• WinSCP.exe
• opera.exe
• navigator.exe
• safari.exe
• chrome.exe

Autostart Technique

This Trojan adds the following Image File Execution Options registry entries to automatically execute itself whenever certain applications are run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
userinit.exe
"Debugger" = "{random filename}.exe"

Other System Modifications

This Trojan adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\203E7401

Other Details

This Trojan connects to the following possibly malicious URL:

• {BLOCKED}t.com/f/t.php
• {BLOCKED}rew.net/f/t.php
• {BLOCKED}m.net/f/t.php
• {BLOCKED}ubihegs.{BLOCKED}ame.com/f/t.php
• {BLOCKED}uhegy.{BLOCKED}3.com/f/t.php
• {BLOCKED}bomeoc.{BLOCKED}tp.com/f/t.php