Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Fusing.BD

Aliases:Backdoor.Win32.FirstInj.tv (Kaspersky), Trojan:Win32/Meredrop (Microsoft), Generic Dropper!dee (McAfee) 
Type of infiltration:Trojan  
Size:134834 B 
Affected platforms:Microsoft Windows 
Signature database version:5120 (20100517) 

Short description

Win32/Fusing.BD installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan creates the following folder:
  • %systemdrive%Documents and SettingsLocal User
The folder may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

The following file is dropped into the %systemdrive%Documents and SettingsLocal User folder:
  • windmad.dll (117833 B)
The windmad.dll file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

The trojan registers itself as a system service using the following filename:
  • Microsoft Device Manager
The trojan replaces file(s) referenced by the following Registry entries with its own copy or with another malware file:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Svchostnetsvcs]
It avoids processes which contain any of the following strings in their path:
  • 6to4
  • Ias
  • Iprip
  • Irmon
The following Registry entries are set:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Type" = "%variable1%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "InstallModule" = "%variable2%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Description" = "%string%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Type" = "%variable1%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "InstallModule" = "%variable2%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%]
    "Description" = "%string%"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%Parameters]
    "ServiceDll" = "%systemdrive%Documents and SettingsLocal
    Userwindmad.dll"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    %servicename%Parameters]
    "ServiceMain" = "MyLive"
This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-2%. The strings written in Chinese language are used instead of %string%.

The trojan deletes the original file.

Other information

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains a list of URLs. The TCP protocol is used.

It can execute the following operations:
  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
The trojan launches the following processes:
  • iexplore.exe
The trojan creates and runs a new thread with its own program code within the following processes:
  • winlogon.exe