Jump to content
Eyecu

Trojan.BZUB-IPV6

Recommended Posts

Good day,

For the past week or so I've been trying eradicate this Trojan.BZUB-IPV6 trojan that SAS keeps popping up a detection poppup on bootup. So far the three file names I can remember it saying it was is

c:\windows\system32\skeys.dll

c:\windows\system32\write.dll

c:\windows\system32\twunk_16.dll

The following is one of the scan logs with the registry entries it finds

SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 08/29/2008 at 06:21 PM

Application Version : 4.20.1046

Core Rules Database Version : 3551
Trace Rules Database Version: 1539

Scan type       : Quick Scan
Total Scan Time : 00:33:53

Memory items scanned      : 429
Memory threats detected   : 0
Registry items scanned    : 477
Registry threats detected : 5
File items scanned        : 18866
File threats detected     : 1

Trojan.BZub-IPV6
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SKEYS.DLL
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}

So far I've run SAS, Malwarebytes, hijackthis, and trojan hunter to attempt to get rid of this pesky rodent. I've run all of these both in normal mode, safe mode, and safe mode with command prompt. Everytime it says it successfully removed it, and on the next start up I don't get the warning. But on following startups I do.

Any help would be appreciated.

P.S. for every other issue SAS has done extremely well. Good job on this product, I have been recommending it to everyone I know.

Share this post


Link to post
Share on other sites

Ok first off can you upload skeys.dll to Virustotal service for 36 second opinions.If it is being flagged by any of them there then can you copy and paste the link to the Virustotal report in your next reply :)

http://www.virustotal.com/

Next up we need to dig a bit deeper to see if another file is spawning the reappearance of the originally detected file(s).

Download a copy of Autoruns :

http://technet.microsoft.com/en-us/sysi ... 63902.aspx

Run a scan but then after it completes

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings.When this completes

click file tab then select "Export as" and save the log(autoruns.txt) to your desktop.

Copy and paste the contents of autoruns.txt to your next post.

Share this post


Link to post
Share on other sites

lol thats a large output log...Like looking for a needle in a haystack :lol:

Okey can you please upload "msoflex.exe" to Virustotal for malware checking and post back the results :)

  • + msoflex.exe c:\documents and settings\all users\start menu\programs\startup\msoflex.exe

Share this post


Link to post
Share on other sites

Okey then boot into safe mode and delete the sucker :P

:idea: If possible can i grab a copy of it before ya nuke it for distribution/research purposes 8)

http://www.castlecops.com/f81-Unknown_Files.html

Start a new topic there titled for my attention and attach/upload the file with your post ,no membership is required to do this :wink:

LMK if the detections persist after its removal & a couple of reboots.

Share this post


Link to post
Share on other sites

Thanks for al your help. The file is posted i think. Can't tell I attempted to attach it twice but its not showing up on the thread. Topic title is Attn: Fatdcuk. Thank you for all your help greatly appreciated...My fiance also says to say thank you as it was on her computer that the infection was.

Share this post


Link to post
Share on other sites

Okey just got your uploaded sample at CC,thankyou for uploading 8)

http://www.virustotal.com/analisis/069c ... cb36eb7c28

ThreatExpert info: http://www.threatexpert.com/report.aspx ... 04fbe15fb6

I must advise you that this is a "password stealer" bot designed to harvest PSW's on the infected system :evil:

It is highly advisable that you change all your used passwords as a matter of priority :!:

Share this post


Link to post
Share on other sites

Already on it. Figured as much. I'm pretty computer literate on the hardware/software side of things. This one just had me stumped as no program I used found the base file...that msoflex.exe. Even though i saw it in the startup folder i should have googled it, but thought it was one of her graphics programs or something she uses. Anyways. Im on the passwrod changing. Thanks again.

Share this post


Link to post
Share on other sites

All good then:)

As of Database Version 3555 - 09-02-2008

SAS now has your particular variant in its target database so thankyou again for uploading this malware variant 8)

  • Trojan.Dropper/Gen-NV
    C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MALWARE SAMPLES\MSOFLEX.EXE

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×