Win32/Butileg.G | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation
When executed the worm copies itself in the following locations:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\msosv.exe C:\Program Files\Common Files\Microsoft Shared\Web Folders\msosvext.exe

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Hello World] "Type" = 16 "Start" = 2 "ErrorControl" = 1 "ImagePath" = "C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV.EXE" "DisplayName" = "lÖÓnÍrÍ¨N¶?Né" "ObjectName" = "LocalSystem"

Spreading on removable media
The worm copies itself into the root folders of removable drives using the following name:

game.exe

The following file is dropped in the same folder:

autorun.inf

Executable files infection
The worm searches local and network drives for files with one of the following extensions:

.exe

The worm infects the files by inserting its code at the beginning of the original program. When an infected file is executed, the original program is being dropped into a temporary file and run. The name of the temporary file is:

Run_TempA.exe

It avoids files with the following filenames:

xyqplayer.exe XY1Update.exe XY1Patch.exe gpatch.exe WowError.exe BackgroundDownloader.exe Repair.exe WoW.exe soul.exe AutoPatch.exe Client.exe elementclient.exe uninstall.exe ztconfig.exe patchupdate.exe VMPFULL_TENCENT.EXE uninst000.exe Timwp.exe TIMPlatform.exe QQLIVEUPDATE.EXE QQPLAYERSVR.EXE MAGICFLASH.EXE ShowIP.exe QQ3DAVPLAYER.EXE QZONESUPPORT.EXE SUN.exe Sungame.exe WzVoiceClient.exe AutoUpdate.exe DBFSupdate.exe Play.exe

Other information
The worm may create copies of the following files (source, destination):

%system%\notepad.exe, %windir%\svchost.exe

The worm launches the following processes:

iexplore.exe %windir%\svchost.exe

The worm creates and runs a new thread with its own code within these running processes.

The worm modifies the following file:

%system%\drivers\etc\hosts

The worm writes the following entries to the file, effectively disabling access to the specific Internet sites:

127.0.0.1 localhost 127.0.0.1 mmm.caifu18.net 127.0.0.1 www.18dmm.com 127.0.0.1 d.qbbd.com 127.0.0.1 www.5117music.com 127.0.0.1 www.union123.com 127.0.0.1 www.wu7x.cn 127.0.0.1 www.54699.com 127.0.0.1 www1.6tan.com 127.0.0.1 www2.6tan.com 127.0.0.1 www.97725.com 127.0.0.1 down.97725.com 127.0.0.1 ip.315hack.com 127.0.0.1 ip.54liumang.com 127.0.0.1 www.41ip.com 127.0.0.1 xulao.com 127.0.0.1 www.heixiou.com 127.0.0.1 www.9cyy.com 127.0.0.1 www.hunll.com 127.0.0.1 www.down.hunll.com 127.0.0.1 do.77276.com 127.0.0.1 www.baidulink.com 127.0.0.1 adnx.yygou.cn 127.0.0.1 222.73.220.45 127.0.0.1 www.f5game.com 127.0.0.1 www.guazhan.cn 127.0.0.1 wm,103715.com 127.0.0.1 www.my6688.cn 127.0.0.1 i.96981.com 127.0.0.1 d.77276.com 127.0.0.1 www1.cw988.cn 127.0.0.1 cool.47555.com 127.0.0.1 www.asdwc.com 127.0.0.1 55880.cn 127.0.0.1 61.152.169.234 127.0.0.1 cc.wzxqy.com 127.0.0.1 www.54699.com 127.0.0.1 t.gcuj.com 127.0.0.1 www.puma163.com 127.0.0.1 ceoww.com 127.0.0.1 boolom.com 127.0.0.1 adult-novel.cn 127.0.0.1 ll.chinasese.net 127.0.0.1 www.tellumore.com 127.0.0.1 www.o1wg.com 127.0.0.1 www.qq756.com 127.0.0.1 ll.chinasese.net 127.0.0.1 cool.47555.com

The worm tries to download and execute several files from the Internet. These are stored in the following locations:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\shift.ini %windir%\error.ini C:\Program Files\Common Files\Microsoft Shared\Web Folders\package.tmp C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSOSV_TMP.EXE C:\Program Files\Common Files\Microsoft Shared\Web Folders\SVCHOST.EXE C:\Program Files\Common Files\Microsoft Shared\Web Folders\Temp%variable%.exe

A string with variable content is used instead of %variable%.