Win32/Spy.Bebloh [Threat Name] go to Threat

Win32/Spy.Bebloh.A [Threat Variant Name]

Category trojan
Size 79360 B
Detection created Nov 30, 2009
Signature database version 4648
Aliases Trojan-Downloader.Win32.Piker.sc (Kaspersky)
  Downloader.Generic9.ABMZ (AVG)
Short description

The trojan contains a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the %system% folder using the following name:

  • %random_name%.exe (79360 B)

A string with variable content is used instead of %random_name% .


The trojan deletes the original file.


In order to be executed on system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­userinit.exe]
    • "Debugger" = "%random_name%.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • csrss.exe
  • svchost.exe
  • thebat.exe
  • msimn.exe
  • iexplore.exe
  • explorer.exe
  • myie.exe
  • firefox.exe
  • avant.exe
  • mozilla.exe
  • maxthon.exe
Other information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­opera.exe]
    • "Debugger" = "%ProgramFiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­navigator.exe]
    • "Debugger" = "%ProgramFiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­safari.exe]
    • "Debugger" = "%ProgramFiles%\­Internet Explorer\­iexplore.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­chrome.exe]
    • "Debugger" = "%ProgramFiles%\­Internet Explorer\­iexplore.exe"

The modified Registry entries will prevent specific files from being executed.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­Current Version\­Internet Settings\­%random%]

A string with variable content is used instead of %random% .


The trojan acquires data and commands from a remote computer or the Internet.


It can be controlled remotely. The HTTP protocol is used.


The trojan connects to the following addresses:

  • nuomosus.cn/m5/login.php
  • witosate.cn/m5/login.php
  • cyboheig.cn/mp/login.php

The trojan can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.