W32/Bublik.A!tr

description-logoAnalysis


W32/Bublik.A!tr is a Win32 trojan that was used as the payload for the exploits related to circulating malicious SWF and PDF files that are exploiting a vulnerability in Adobe Flash Player, as described in the Security Bulletin APSA09-03. It serves as a dropper to a malicious DLL, detected as W32/Bublik.LLD!tr.

  • It drops the following file/s:
    • undefinedWindowsundefined\ime\wmimachine2.dll
  • It may add or modify an entry of the following registry to install its embedded DLL file as NT service:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

      • netsvcs

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4

      • NextInstance = dword:00000001

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000

      • Service = "6to4"
      • Legacy = dword:00000001
      • ConfigFlags = dword:00000000
      • Class = "LegacyDriver"
      • ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
      • DeviceDesc = ".NET Runtime Optimization Service v2.086521.BackUp_X86"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control

      • *NewlyCreated* = dword:00000000
      • ActiveService = "6to4"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4

      • Type = dword:00000020
      • Start = dword:00000002
      • ErrorControl = dword:00000001
      • ImagePath = hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,73,76,63,68,6f,73,74,2e,65,78,65,20,2d,6b,20,6e,65,74,73,76,63,73,00,
      • DisplayName = ".NET Runtime Optimization Service v2.086521.BackUp_X86"
      • ObjectName = "LocalSystem"
      • Description = "Microsoft .NET Framework NGEN"

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Parameters

      • ServiceDll = hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,69,6d,65,5c,77,6d,69,6d,61,63,68,69,6e,65,32,2e,64,6c,6c,00,

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Security

      • Security = hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00,

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Enum

      • 0 = "Root\LEGACY_6TO4\0000"
      • Count = dword:00000001
      • NextInstance = dword:00000001
  • After installation, it creates a batch file to delete itself.

  • recommended-action-logoRecommended Action

      FortiGate Systems
    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
      FortiClient Systems
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    Extended
    FortiClient
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2022-08-30 90.05531
    2022-05-11 90.02205
    2022-05-11 90.02204
    2022-01-04 89.08396
    2021-07-06 87.00429
    2020-12-03 82.28000 Sig Updated
    2020-11-02 81.54500 Sig Updated
    2020-11-01 81.51800 Sig Updated
    2020-09-08 80.22400 Sig Updated
    2020-08-11 79.55200 Sig Updated