Win32/Bayrob [Threat Name] go to Threat

Win32/Bayrob.BA [Threat Variant Name]

Category trojan
Size 233984 B
Detection created Jan 12, 2016
Detection database version 12854
Aliases TrojanSpy:Win32/Nivdort.DE (Microsoft)
  Trojan.Bayrob!gen6 (Symantec)
  Win32:Vupa (Avast)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %installfolder%\­itb%variable%aeybekl0b.exe
  • %installfolder%\­opnpaco.exe
  • %installfolder%\­rctboqxtns.exe

The %installfolder% is one of the following strings:

  • %systemvolume%\­bcoyeajx
  • %userprofile%\­Local Settings\­Application Data\­bcoyeajx
  • %userprofile%\­AppData\­Local\­bcoyeajx
  • %temp%\­bcoyeajx
  • %temp%

A string with variable content is used instead of %variable% .


The trojan registers itself as a system service using the following name:

  • Player Device Scheduler Isolation Solutions

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Extender Installer Play Studio" = "%installfolder%\­opnpaco.exe"

This causes the trojan to be executed on every system start.

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • computer IP address
  • information about the operating system and system settings
  • MAC address
  • list of running services

The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of running processes to a remote computer
  • send gathered information
  • update itself to a newer version

The trojan displays a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.