Threat behavior
Win32/Busky is a family of Trojans that monitor and redirect Internet traffic, gather system information and download unwanted software such as Win32/Renos and Win32/SpySheriff. Win32/Busky may be installed by a Web browser exploit or other vulnerability when visiting a malicious Web site. Win32/Busky may also be installed by a Trojan dropper. Trojan droppers for Win32/Busky may be detected as TrojanDropper:Win32/Busky.gen or TrojanDownloader:Win32/Busky.
Win32/Busky consists of one or two dynamic link library Trojan components, depending on the variant. One component functions as a browser helper object, monitoring Web activity and redirecting access to common search sites to another Web site. The other component runs silently and downloads unwanted software programs.
When the Trojan dropper for Win32/Busky executes, it may perform the following actions:
- Depending on the variant, drops either one or two files into the <system folder> using random file names, such as kpwynle.dll and bgopgyc.dll
- Modifies the registry to run one of the dropped Trojan components as a Web browser helper object (BHO) that executes whenever Internet Explorer is run, as in this example:
Adds value: {518BB5B6-C6A6-07E6-658B-01E1AA5CEBE1}\InprocServer32\(default)
With data: <system folder>\bgopgyc.dll
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
- Modifies the registry to run another Trojan component when Windows is started, as in this example:
Adds value: kpwynle.dll
With data: <system folder>\rundll32.exe <system folder>\kpwynle.dll,yzviqhc
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Creates a "marker" entry in the registry to avoid running Win32/Busky more than once, as in this example:
Adds value: (default)
With data: 631930542
To subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\AdwareDisableKey3
HKEY_CURRENT_USER\SOFTWARE\AdwareDisableKey3
- Modifies the registry allowing Win32/Busky to monitor Web browser activity and to redirect certain Internet search queries to certain Web sites:
Modifies value: MigrateProxy
With data: 1
To subkey:
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\
Modifies value: ProxyBypass
With data: 1
To subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
Modifies value: ProxyEnable
With data: 0
To subkey:
HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
When Win32/Busky is run, it performs the following actions:
- Monitors Web site access by Internet Explorer to search sites MSN, Google and Yahoo, and redirects access to an alternate Web site
- Connects to a remote Web site, using TCP port 80, to download unwanted software such as Win32/Renos and Win32/SpySheriff. These unwanted software programs display erroneous warnings and false notifications of insecurity or infections
- Connects to a UDP port in the range 3000-3099 and awaits connection attempts from remote attackers
- Enumerates and sends system information to remote Web sites
Win32/Busky may be affiliated or included with other Trojan installations such as Backdoor:Win32/Cosiam, Trojan:Win32/Tibs, Rootkit:Win32/Rustock and TrojanDownloader:Win32/Vxidl. Win32/Busky may be available on various file sharing networks disguised as a useful program.
Prevention