W32.Buzus
W32.Buzus is a worm that propagates by creating a copy of itself to removable USB drives and tries to steal sensitive information from the infected computer. W32.Buzus will then send the collected data to a remote computer.
Also Identified As:
Mal/Behav-024, Mal/Inject-K, Mal/Behav-009 (Sophos), Trojan.Win32.Buzus.croo (Kaspersky Lab)
Damage Level: Low
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
To automatically run the worm when Windows starts, it will add the following registry entry:
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”Syesm” = “%CommonProgramFiles%\Syesm.exe”
The worm also modifies default home page of victim’s Internet browser by applying the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Start Page” = “http:// www . xinfeng . net”
Distribution
W32.Buzus may arrive on computer by means of spam email messages. This Trojan masquerades as useful file in the form of greeting cards, document or image file. Instant messaging application also supports the propagation of this Trojan by sending malicious links to contacts gathered on the infected system. In this situation, sender is unaware of the ongoing mass sending of messages containing malicious links because the Trojan silently operates in the background.
Locally, W32.Buzus spreads by creating a copy of itself to every removable drives on the affected unit as the following file:
%DriveLetter%\Syesm.exe
To run the file when drive is accessed, it makes use of Windows Autorun functionality by adding the following file on the same location:
%DriveLetter%\autorun.inf
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"Syesm" = "%CommonProgramFiles%\Syesm.exe"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\"NextInstance" = "1"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\0000\"Class" = "LegacyDriver"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\0000\"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\0000\"ConfigFlags" = "0"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\0000\"DeviceDesc" = "[RANDOM SERVICE NAME]"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\0000\"Legacy" = "1"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\Root\LEGACY_[RANDOM SERVICE NAME]\0000\"Service" = "[RANDOM SERVICE NAME]"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[RANDOM SERVICE NAME]\"DisplayName" = "[RANDOM SERVICE NAME]"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[RANDOM SERVICE NAME]\"ErrorControl" = "0"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[RANDOM SERVICE NAME]\"ImagePath" = "%Temp%\[RANDOM FILE NAME].tmp"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[RANDOM SERVICE NAME]\"Start" = "3"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[RANDOM SERVICE NAME]\"Type" = "1"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\[RANDOM SERVICE NAME]\Security\"Security" = [BINARY CHARACTERS]
Associated Files and Folders:%CommonProgramFiles%\Syesm.exe %SystemDrive%\AutoRun.inf %SystemDrive%\Syesm.exe %Temp%\[RANDOM FILE NAME].tmp %UserProfile%\[RANDOM FILE NAME].drv
How to Remove W32.Buzus
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of W32.Buzus, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like W32.Buzus. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.