W32.Bufei


Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: dormant
Spreading: slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Apr 2000
Damage: Low

Characteristics: The W32.Bufei program is a virus that attacks and finds .exe files once executed in the compromised computer.

More details about W32.Bufei

The W32.Bufei program has backdoor facility that steals or records key logger functions. Windows system files are the very target of this virus which it continually changes to its own file name and infects it. Mostly, it gets into windows directory, copying %Windir%\explorer.exe file and changing it as c:\explorer.exe. All PE files are also prone to damage and will be changed to .exe extension coming from all drives of the compromised computer, that is, from F to Z. It also automatically starts the keylogger and changes the logged information to System folders: from C:\Windows\System32 to C:\Windows\System32\advkey.dll. Automatically, it will also connect to one of the URLs on TCP port 8081 every 3 minutes, to retrieve a remote attacker's IP address. By connecting through its IP address, the remote attacker will have full access of the infected computer.

Symptoms that your computer is infected may include an active autorun.inf file in the system which automatically plays your drive. If you have shared network, the infection may also spread on those network and its respective remote computers. This happens when remote computers access file from this infected file or drive. Your computer may also show communication with a remote IRC server and or downloads and requests other files from Internet which you do not know of. System files are continuously being changed and you may see files may have malicious, confirmed identifies security risk.