high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 23 May 2005 21:43:56 (GMT) |
| Last updated | 18 March 2008 02:32:46 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting PE executables.
More Information
W32/Bube-F is a virus for the Windows platform.
The virus infects explorer.exe which is typically located in <Windows folder>\explorer.exe.
W32/Bube-F connects to a remote site and downloads configuration files which define further behaviours.
The virus terminates the explorer and progman processes, infects explorer.exe and then runs the infected copy of explorer.
The virus may display popup windows in Internet Explorer.
When run, W32/Bube-F copies itself to the Windows system folder as sm.exe and soft.exe and sets the following registry entries in order to run each time a user logs on:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Web Service
"<Windows system folder>\sm.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Web Service
"<Windows system folder>\sm.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Run
"<Windows system folder>\soft.exe"
The virus may also modify values in the system registry under the following:
HKCU\Software\Microsoft\Active Setup\Installed Components\(08B0E5C0-4FCB-11CF-AAA5-00401C608500)
HKCU\Software\Microsoft\Internet Explorer\Main
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile
HKLM\Software\Policies\Microsoft\WindowsFirewall\StandardProfile
|
