Win32/Bayrob [Threat Name] go to Threat

Win32/Bayrob.BK [Threat Variant Name]

Category trojan
Size 1601536 B
Detection created Jan 20, 2016
Detection database version 12897
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %installfolder%\­frqjq2%variable%mlvk5atfg.exe
  • %installfolder%\­gnbrvgzbgh.exe
  • %installfolder%\­bbixevk.exe

The %installfolder% is one of the following strings:

  • %windir%\­system32\­rpitpgtroluqmvy
  • %windir%\­rpitpgtroluqmvy
  • %userprofile%\­Local Settings\­Application Data\­rpitpgtroluqmvy
  • %userprofile%\­AppData\­Local\­rpitpgtroluqmvy
  • %temp%\­rpitpgtroluqmvy
  • %temp%

A string with variable content is used instead of %variable% .


The trojan registers itself as a system service using the following name:

  • Machine Tracking Audio AuthIP Health

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Group Peer Power Layer User-mode" = "%installfolder%\­gnbrvgzbgh.exe"

This causes the trojan to be executed on every system start.


The trojan may create the following files:

  • %temp%\­frqjq2%variable%mlvk5atfg.exe (35328 B, Win32/MiniUPnP.C)

The file is then executed.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center]
    • "FirewallOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "AntiVirusOverride" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Security Center\­Svc]
    • "FirewallDisableNotify" = 1
    • "FirewallOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "AntiVirusOverride" = 1
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "EnableBalloonTips" = 1
  • [HKEY_USERS\­%user%\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap\­Domains\­%variable%]
    • "*" = 2

A string with variable content is used instead of %variable% .


The trojan can terminate the following processes:

  • bbixevk.exe
  • firefox.exe
  • iexplore.exe
  • opera.exe
  • seamonkey.exe
  • flock.exe
  • netscape.exe
  • mozilla.exe
  • safari.exe
  • maxthon.exe
  • aolbrowser.exe
  • aoltpsd3.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (11) URLs. The trojan generates various URL addresses.


It uses its own P2P network for communication. The TCP, HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of running processes to a remote computer
  • send gathered information
  • update itself to a newer version
  • redirect network traffic
  • modify network traffic
  • send spam
  • set up a proxy server
  • change the proxy server settings
  • capture screenshots
  • retrieve CPU information

The trojan opens some TCP ports.


The trojan can modify the following file:

  • %windir%\­system32\­drivers\­etc\­hosts

The trojan keeps various information in the following files:

  • %installfolder%\­run
  • %installfolder%\­tst
  • %installfolder%\­lck
  • %installfolder%\­upd
  • %installfolder%\­rng
  • %installfolder%\­srv
  • %installfolder%\­cli
  • %installfolder%\­cfg
  • %installfolder%\­por
  • %installfolder%\­end0003

The trojan displays a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.