Win32/Bayrob [Threat Name]

Detection created2007-03-08
World activity peak 2016-05-09 (7.87 %)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %installfolder%\­%variable1%.exe
  • %installfolder%\­%variable2%.exe
  • %installfolder%\­%variable3%.exe

The %installfolder% is one of the following strings:

  • %systemvolume%\­%variable4%
  • %userprofile%\­Local Settings\­Application Data\­%variable4%
  • %userprofile%\­AppData\­Local\­%variable4%
  • %temp%%variable4%
  • %temp%
  • %windir%
  • %windir%\­system32

A string with variable content is used instead of %variable1-4% .


The trojan registers itself as a system service.


This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%servicename%" = "%malwarefilepath%"

A string with variable content is used instead of %servicename% .


This causes the trojan to be executed on every system start.

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • computer IP address
  • information about the operating system and system settings
  • MAC address
  • list of running services

The trojan can send the information to a remote machine. The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of running processes to a remote computer
  • send gathered information
  • update itself to a newer version

The trojan displays a fake error message:

Threat Variants with Description

Threat Variant Name Date Added Threat Type
Win32/Bayrob.BM 2016-01-25 trojan
Win32/Bayrob.BK 2016-01-20 trojan
Win32/Bayrob.BA 2016-01-12 trojan
Win32/Bayrob.AQ 2015-12-23 trojan
Win32/Bayrob.Y 2015-05-21 trojan
Win32/Bayrob.H 2011-07-26 trojan
Win32/Bayrob.D 2007-10-24 trojan

Please enable Javascript to ensure correct displaying of this content and refresh this page.