Troj/Pushu-H is a downloader/installer for members of the Troj/Pushu-Gen family of Trojans.
Troj/Pushu-H typically arrives as an email attachment as part of a spamming campaign.
When Troj/Pushu-H is installed it creates the following stealthing component which Sophos Anti-Virus detects as
Troj/Pushu-Gen:
<System>\drivers\runtime.sys
The file runtime.sys is registered as a new system driver service named "runtime". Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\runtime\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME\
Troj/Pushu-H replaces the following file with a rootkit component which Sophos Anti-Virus detects as
Troj/Agent-GIS and/or
Troj/Pushu-Gen:
<System>\drivers\secdrv.sys
Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\SecDrv\
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SECDRV\
Troj/Pushu-H may also attempt to download from a remote location by injecting code into Internet Explorer, sometimes downloading to the following location:
<Windows>\system32\<random number>_exception.nls