This application requires Javascript for optimal performance.

W32/Bublik.A!tr - Released Jul 22, 2009 - Last Updated Jul 24, 2009

Alias/es

Trojan-Downloader.Win32.PowerPointer.b, TR/Drop.Wmach

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • The following file exists:
    • %Windows%\ime\wmimachine2.dll

    Detailed Analysis


    W32/Bublik.A!tr is a Win32 trojan that was used as the payload for the exploits related to circulating malicious SWF and PDF files that are exploiting a vulnerability in Adobe Flash Player, as described in the Security Bulletin APSA09-03. It serves as a dropper to a malicious DLL, detected as W32/Bublik.LLD!tr.


  • It drops the following file/s:
    • %Windows%\ime\wmimachine2.dll
  • It may add or modify an entry of the following registry to install its embedded DLL file as NT service:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

      • netsvcs

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4

      • NextInstance = dword:00000001

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000

      • Service = "6to4"
      • Legacy = dword:00000001
      • ConfigFlags = dword:00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = ".NET Runtime Optimization Service v2.086521.BackUp_X86"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control

      • *NewlyCreated* = dword:00000000
      • ActiveService = "6to4"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4

      • Type = dword:00000020
      • Start = dword:00000002
      • ErrorControl = dword:00000001
      • ImagePath = hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00,
      • DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
      • ObjectName = "LocalSystem"
      • Description = "Microsoft .NET Framework NGEN"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters

      • ServiceDll = hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,69,6d,65,5c,77,6d,69,6d,61,63,68,69,6e,65,32,2e,64,6c,6c,00,

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security

      • Security = hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum

      • 0 = "Root\LEGACY_6TO4\0000"
      • Count = dword:00000001
      • NextInstance = dword:00000001
  • After installation, it creates a batch file to delete itself.

    • Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Reference: ID - 950940