W32/Bube-F

Category: Viruses and Spyware
Type: Win32 executable file virus
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Bube-F is a virus for the Windows platform.

The virus infects explorer.exe which is typically located in <Windows folder>\explorer.exe.

W32/Bube-F connects to a remote site and downloads configuration files which define further behaviours.

The virus terminates the explorer and progman processes, infects explorer.exe and then runs the infected copy of explorer.

The virus may display popup windows in Internet Explorer.

When run, W32/Bube-F copies itself to the Windows system folder as sm.exe and soft.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Web Service
"<Windows system folder>\sm.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Web Service
"<Windows system folder>\sm.exe"

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Run
"<Windows system folder>\soft.exe"

The virus may also modify values in the system registry under the following:

HKCU\Software\Microsoft\Active Setup\Installed Components\(08B0E5C0-4FCB-11CF-AAA5-00401C608500)

HKCU\Software\Microsoft\Internet Explorer\Main

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile

HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy