WinNT/Bubnix is a complex malware used as spam bot that infects a PC through a downloader called TrojanDownloader: Win32/Bubnix.A. This downloader itself is installed from the Net via variants of Win32/Harnig and Win32/Bredolab.

The Microsoft researchers state that to transfer a malevolent executable, it is common to first encrypt it with a downloader. In order to make the content appear more legitimate, TrojanDownloader: Win32/Bubnix.A adds extra activity to this ordinary task, as reported by SoftPedia on July 15, 2010.

The most interesting fact about Bubnix is that it avoids detection by imitating RAR archives' file header although the passwords of such archives are protected. The security researchers explain that a drawback of many antivirus solutions is that to save time, they merely scan active processes as well as files which appear as an instant danger like the .exe files. This fresh Trojan reportedly capitalizes on such a situation.

Moreover, the security researchers study discloses that if the archives are tried to "decompress," a request emerges for their password. In such a case, the 'RAR' archive is not a genuine RAR file.

When the header displays a 'RAR!' string, the latter indicates the presence of a code transferred to an unlocking utility where Bubnix gets exposed so that the real payload is revealed. Thereafter, when a PC becomes infected, the Trojan downloads and places a rootkit that works as a driver for kernel known as "Boot Bus Extender."

Furthermore, the researchers disclose that the Bubnix band of Trojans work as botnet clients that mainly help in spamming activities. Microsoft states that they are frequently installed on already hijacked computers via other malware.

Commenting on the problem, the security researchers stated that apart from ordinary transformation, malware uses plenty of different techniques to hide as well as encrypt the content prior to forward transmission as per Microsoft researchers' blog published by Microsoft Malware Protection Center on July 14, 2010.