Bubnix spam bot added to MSRT uses Obfuscation scheme

Microsoft added "Bubnix" to its Malicious Software Removal Tool (MSRT). "WinNT/Bubnix is a complicated spam bot which arrives on an affected computer by way of a downloader, TrojanDownloader:Win32/Bubnix.A. TrojanDownloader:Win32/Bubnix.A is itself often downloaded by variants of Win32/Bredolab and Win32/Harnig in the wild," said MSRT."it's common for malicious executable to be transferred in encrypted form by […]

Microsoft added "Bubnix" to its Malicious Software Removal Tool (MSRT). "WinNT/Bubnix is a complicated spam bot which arrives on an affected computer by way of a downloader, TrojanDownloader:Win32/Bubnix.A. TrojanDownloader:Win32/Bubnix.A is itself often downloaded by variants of Win32/Bredolab and Win32/Harnig in the wild," said MSRT.

"it's common for malicious executable to be transferred in encrypted form by a downloader. In order to increase legitimacy, Bubnix goes further. Upon cursory inspection, this appears to be a 'Rar' archive. In fact, the header is a valid one for a password protected archive. Any attempt to "decompress" archive will yield a request for password. This isn't really a true 'Rar' archive. Let us now take a closer look at downloader itself (pic 2). We can see from this, if what appears to be a 'Rar!' marker is found, the key and length are then extracted. This information is passed to a decryption function, where malicious Bubnix driver is revealed. The highlighted portion in Figure 1. at offset 0x14 is the decryption key," explains Microsoft.

[Source]