Win32/Bayrob [Threat Name] go to Threat

Win32/Bayrob.BM [Threat Variant Name]

Category trojan
Size 615936 B
Detection created Jan 25, 2016
Detection database version 12921
Aliases TrojanSpy:Win32/Nivdort.DI (Microsoft)
  TR/Taranis.2232 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %installfolder%\­gplyo%variable%or72aasvsewl.exe
  • %installfolder%\­vaeowykybdn.exe
  • %installfolder%\­ruyrgflzuq.exe

The %installfolder% is one of the following strings:

  • %systemvolume%\­fadltkaxokqy
  • %userprofile%\­Local Settings\­Application Data\­fadltkaxokqy
  • %userprofile%\­AppData\­Local\­fadltkaxokqy
  • %temp%\­fadltkaxokqy
  • %temp%

A string with variable content is used instead of %variable% .


The trojan registers itself as a system service using the following name:

  • Networking Device Software Identity

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Encryption Solutions Reports Information Accounts" = "%installfolder%\­vaeowykybdn.exe"

This causes the trojan to be executed on every system start.

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • computer IP address
  • information about the operating system and system settings
  • MAC address
  • list of running services

The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of running processes to a remote computer
  • send gathered information
  • update itself to a newer version

The trojan displays a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.