can avast detect this worm yet
TR/Buzus.dhxv - Trojan
Files It copies itself to the following locations:
• %drive%\conime.exe
• %SYSDIR%\wcoredt.exe
It overwrites a file.
– %SYSDIR%\drivers\etc\hosts
It deletes the initially executed copy of itself.
The following file is created:
– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%
It tries to download a file:
– The location is the following:
• http://up.g-youtube.info/net/**********
It tries to executes the following files:
– Filename:
• ipconfig /flushdns
– Filename:
• sc delete K7TSMngr
– Filename:
• net stop “avast! Antivirus”
– Filename:
• sc stop “avast! Antivirus”
– Filename:
• sc config “avast! Antivirus” start= disabled
– Filename:
• net1 stop “avast! Antivirus”
– Filename:
• sc delete “avast! Antivirus”
– Filename:
• net stop AntiVirService
– Filename:
• sc stop AntiVirService
– Filename:
• sc config AntiVirService start= disabled
– Filename:
• net1 stop AntiVirService
– Filename:
• net stop K7RTScan
– Filename:
• sc delete AntiVirService
– Filename:
• net stop PASRV
– Filename:
• sc stop PASRV
– Filename:
• net1 stop PASRV
– Filename:
• sc config PASRV start= disabled
– Filename:
• sc delete PASRV
– Filename:
• net stop VSSERV
– Filename:
• sc stop VSSERV
– Filename:
• sc config VSSERV start= disabled
– Filename:
• net1 stop VSSERV
– Filename:
• sc stop K7RTScan
– Filename:
• sc delete VSSERV
– Filename:
• net stop avg8wd
– Filename:
• sc stop avg8wd
– Filename:
• sc config avg8wd start= disabled
– Filename:
• net1 stop avg8wd
– Filename:
• sc delete avg8wd
– Filename:
• net stop avg9wd
– Filename:
• sc stop avg9wd
– Filename:
• net1 stop avg9wd
– Filename:
• sc config avg9wd start= disabled
– Filename:
• sc config K7RTScan start= disabled
– Filename:
• sc delete avg9wd
– Filename:
• net stop NOD32krn
– Filename:
• sc stop NOD32krn
– Filename:
• net1 stop NOD32krn
– Filename:
• sc config NOD32krn start= disabled
– Filename:
• sc delete NOD32krn
– Filename:
• net stop ekrn
– Filename:
• sc stop ekrn
– Filename:
• net1 stop ekrn
– Filename:
• sc config ekrn start= disabled
– Filename:
• net1 stop K7RTScan
– Filename:
• sc delete ekrn
– Filename:
• net stop McShield
– Filename:
• sc stop McShield
– Filename:
• net1 stop McShield
– Filename:
• sc config McShield start= disabled
– Filename:
• sc delete McShield
– Filename:
• net stop OutpostFirewall
– Filename:
• sc stop OutpostFirewall
– Filename:
• sc config OutpostFirewall start= disabled
– Filename:
• sc delete K7RTScan
– Filename:
• net stop K7TSMngr
– Filename:
• sc stop K7TSMngr
– Filename:
• sc config K7TSMngr start= disabled
– Filename:
• net1 stop K7TSMngr
more info http://www.avira.com/en/threats/section/fulldetails/id_vir/5193/tr_buzus.dhxv.html