Fuzfle CL

Posted: May 27, 2009

Fuzfle CL - dubbed Generic Dropper.av by McAfee, Trojan-Dropper.Win32.Agent.fun by Kaspersky, and Infostealer by Symantec - is a Trojan that uses rootkit techniques to get nice and cozy in your system and stay hidden from you or any anti-spyware programs you run. What is Fuzfle CL up to? Secretly gaining control of your PC and stealing your login and password information.

Aliases

Generic Dropper.av [McAfee]
Trojan-Dropper.Win32.Agent.fun [Kaspersky]
Infostealer [Symantec]VirTool:Win32/DelfInject.gen!AA [MS OneCare]
Mal/EncPk-CK [Sophos]
Win32/Fuzfle.CL [CA AV]
W32/Dropper.NHL (exact, dropper) [F-Prot]
W32/Agent.ETXR [NORMAN]

File System Modifications

The following files were created in the system:

# File Name

1 %profile%\local settings\temp\build.exe

2 %profile%\local settings\temp\id7254.exe

3 %system%\drivers\xdx35.sys

4 resume.exe

5 xdx35.sys

#	File Name
1	%profile%\local settings\temp\build.exe
2	%profile%\local settings\temp\id7254.exe
3	%system%\drivers\xdx35.sys
4	resume.exe
5	xdx35.sys

Registry Modifications

The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_xdx35HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_xdx35\0000HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_xdx35\0000 capabilitiestHKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_xdx35\0000 classHKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_xdx35\0000 classguidHKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_xdx35\0000 configflagsHKEY_LOCAL_MACHINE\system\currentcontrolset\services\xdx35HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xdx35\enumHKEY_LOCAL_MACHINE\system\currentcontrolset\services\xdx35\enum 0HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xdx35\enum coun

Fuzfle CL

Aliases

File System Modifications

Registry Modifications

Leave a Reply