W32/Bublik.A!tr
Analysis
W32/Bublik.A!tr is a Win32 trojan that was used as the payload for the exploits related to circulating malicious SWF and PDF files that are exploiting a vulnerability in Adobe Flash Player, as described in the Security Bulletin APSA09-03. It serves as a dropper to a malicious DLL, detected as W32/Bublik.LLD!tr.
- undefinedWindowsundefined\ime\wmimachine2.dll
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
- netsvcs
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
- NextInstance = dword:00000001
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000
- Service = "6to4"
- Legacy = dword:00000001
- ConfigFlags = dword:00000000
- Class = "LegacyDriver"
- ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
- DeviceDesc = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control
- *NewlyCreated* = dword:00000000
- ActiveService = "6to4"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
- Type = dword:00000020
- Start = dword:00000002
- ErrorControl = dword:00000001
- ImagePath = hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00,
- DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
- ObjectName = "LocalSystem"
- Description = "Microsoft .NET Framework NGEN"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters
- ServiceDll = hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,69,6d,65,5c,77,6d,69,6d,61,63,68,69,6e,65,32,2e,64,6c,6c,00,
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security
- Security = hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum
- 0 = "Root\LEGACY_6TO4\0000"
- Count = dword:00000001
- NextInstance = dword:00000001
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |