Troj/Buzus-O is a Trojan for the Windows platform.
Troj/Buzus-O includes functionality to download, install and run new software.
When first run Troj/Buzus-O copies itself to <System>\splm\ncsjapi32.exe and creates the following files:
<System>\drivers\etc\hosts.sam
<System>\nScan\ecls.exe
<System>\nScan\ekrn.exe
<System>\nScan\ekrnAmon.dll
<System>\nScan\ekrnEmon.dll
<System>\nScan\ekrnEpfw.dll
<System>\nScan\ekrnScan.dll
<System>\nScan\em000_32.dat
<System>\nScan\em001_32.dat
<System>\nScan\em002_32.dat
<System>\nScan\em003_32.dat
<System>\nScan\em004_32.dat
<System>\nScan\em005_32.dat
<System>\nScan\em006_32.dat
<System>\nScan\mod_comp.dat
<System>\splm\kbdsapi.dll
<System>\splm\lmfunit32.dll
<System>\splm\mcaserv32.dll
The files kbdsapi.dll, lmfunit32.dll and mcaserv32.dll are detected as Troj/Agent-HIP. All other files may simply be deleted.
The following registry entries are created to run ncsjapi32.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Intelli Mouse Pro Version 2.0B
<System>\splm\ncsjapi32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Intelli Mouse Pro Version 2.0B*
<System>\splm\ncsjapi32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
*Intelli Mouse Pro Version 2.0B*
<System>\splm\ncsjapi32.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B
StubPath
<System>\splm\ncsjapi32.exe
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<Program Files>\internet explorer\iexplore.exe
<Program Files>\internet explorer\iexplore.exe:*:Enabled:Internet Explorer
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
2
Registry entries are created under:
HKCU\Software\Microsoft\nScan32