Threat behavior
Trojan:WinNT/Bubnix.gen!B is a generic detection for a kernel-mode driver installed by other malware that hides its presence on an affected computer by blocking registry and file access to itself. The trojan may report its installation to a remote server, download and distribute spam email messages and could download and execute arbitrary files.
Installation
The trojan may be present as a randomly named file in the following format:
%SystemRoot%\System32\drivers\[5-8 random chars].sys (for example, "rexramc.sys")
The malware runs as a service by the same name, such as "rexramc". After installation, the malware component runs as an NT service at every Windows start.
Payload
Downloads and executes arbitrary files
Trojan:WinNT/Bubnix.gen!B contacts a remote server to report its installation on the affected computer. The trojan attempts to download and execute arbitrary files from a predefined web address.
Distributes spam
The trojan retrieves configuration data containing spam information from a remote server, and attempts to distribute spam.
Analysis by Rex Plantado
Prevention