Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Fusing.AO

Aliases:Backdoor.Win32.Torr.aun (Kaspersky), Trojan:Win32/Provis!rts (Microsoft), BackDoor-DVB.e (McAfee) 
Type of infiltration:Trojan  
Size:109056 B 
Affected platforms:Microsoft Windows 
Signature database version:4768 (20100113) 

Short description

Win32/Fusing.AO installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following files:
  • %system%twain_32.dll (43813 B)
The trojan registers itself as a system service using the following filename:
  • VMservices
The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Svchostnetsvcs]
It avoids processes which contain any of the following strings in their path:
  • 6to4
  • Ias
  • Iprip
  • Irmon
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Type" = "%variable1%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "InstallModule" = "%variable2%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Description" = "Network address translation for virtual
    networks.If this service is stopped, protected content
    might not be down loaded to the device."
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Type" = "%variable1%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "InstallModule" = "%variable2%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Description" = "Network address translation for virtual
    networks.If this service is stopped, protected content
    might not be down loaded to the device."
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%Parameters]
    "ServiceDll" = "%system%twain_32.dll"
This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2%.

The trojan deletes the original file.

Other information

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of URLs. The TCP protocol is used.

It can execute the following operations:
  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
The trojan may create the following files:
  • %temp%%variable%_res.tmp (43813 B)
The %variable% represents a random number.

The following programs are terminated:
  • KVMonXP.kxp
The trojan launches the following processes:
  • iexplore.exe
The trojan creates and runs a new thread with its own program code within the following processes:
  • winlogon.exe