For Home

Virus Profile: Generic PWS.zj

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 5/22/2012
Date Added: 5/22/2012
Origin: Unknown
Length: Varies
Type: Trojan
Subtype: Win32
DAT Required: 6842
Removal Instructions
   
 
 
   

Description

This is a Trojan detection. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

  • NOD32 - Win32/Spy.Bebloh.J trojan
  • Symantec - Trojan.Gen.2
  • Ikarus   - Trojan.Win32.Bublik
  • Microsoft - Trojan:Win32/Bublik.B

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection


Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, e-mail, etc
   

Virus Characteristics

Generic PWS.zj” is detection for this Trojan, which steals the information from the compromised computer. It may also gather information, such as personal information. The collected data will be sent to the remote attacker.

Upon execution it tries to connect to the below URL through remote port http in order to send the collected information to the remote attacker

  • Tas[Removed]e.net
  • 173.194.[Removed].142
  • 197.243.[Removed].5
  • Captured POST request:
  • POST /nwi/tim.php HTTP/1.1
  • Content-Type: application/x-www-form-urlencoded
  • User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
  • Host: taskwire.net
  • Content-Length: 348
  • Connection: Keep-Alive
  • Pragma: no-cache

Upon execution the Trojan copy itself to the following location

  • %windir%\system32\mixerpvideo.exe
  • %Temp%\followXXXXa03468

The following registry values have been added to the system.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe\Debugger: "mixerpvideo.exe"

The above mentioned registry ensures that, the Trojan registers itself with the compromised system and executes itself upon every reboot.

  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000
  • HKEY_USERS\S-1-5[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000

The above registry entries confirms that the Trojan disable the Proxy settings.

  • HKEY_USERS\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\EDAB1FED\: [hex decimal values]
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\EDAB1FED\DE25: 0x00000000

The following registry values have been modified to the system.

  • HKEY_USERS \S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000001
  • HKEY_USERS \S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609: 0x00000000

The above registry entry confirms that the Trojan lower the Internet Explorer security settings

   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).