W32/Bube-L

Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	10 April 2005 14:53:28 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

Follow the standard instructions for all files except explorer.exe. In this case either restore from a backup or attempt disinfection.

More Information

Summary
Action
More Information

W32/Bube-L is a downloader Trojan for Windows operating systems that also modifies the local copy of explorer.exe.

The Trojan makes two copies of itself in the Windows system folder, one with the original filename it was run with on a computer and one as svhost.exe.

To ensure that the copy that keeps its original name and is automatically started when a user logs on to an infected computer, the following registry entry is
set:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System backup
<filename>

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
System backup
<filename>

As a final attempt to ensure the W32/Bube-L is automatically run on an
infected computer, the Trojan attempts to infect explorer.exe so that when it
is run it will start a thread containing the resident Trojan code. The Trojan
tries to modify copies of Explorer at the following locations:

<Windows>\explorer.exe
<System>\dllcache\explorer.exe
<Windows>\ServicePackFiles\i386\explorer.exe

To facilitate the patching of explorer.exe, an entry in wininit.ini will be
added. If wininit.ini does not exist, then it will be created. The new entry
will read:

[rename]
<Windows>\explorer.exe=<Windows>\explorer.new

Once W32/Bube-L has installed itself on a computer it attempts to set the
following registry entries to make the computer more vulnerable by disabling
the functionality of Windows Security Centre, disabling automatic updates,
and disabling the Windows Firewall:

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKCU\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKCU\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
1

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKCU\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
1

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate
1

HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
AUOptions
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKCU\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
1

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

HKCU\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
1

Once fully installed, the Trojan contacts a pre-specified website to report its presence on the computer, and periodically tries to download a file that will specify further commands for the Trojan to execute. The W32/Bube-L can be instructed to:

Install software to the registry
Set and delete registry entries
Open Internet Explorer to a specific web page
Run Explorer with specified parameters
Download and execute files

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Bube-L

Summary

Action

More Information