Win32/Bedep [Threat Name] go to Threat

Win32/Bedep.D [Threat Variant Name]

Category trojan
Size 237568 B
Detection created May 07, 2015
Detection database version 11594
Aliases Backdoor.Win32.Bedep.cvd (Kaspersky)
  Backdoor:Win32/Bedep.A (Microsoft)
  TR/Bedep.237568 (Avira)
Short description

Win32/Bedep.D is a trojan which tries to download other malware from the Internet. It can be controlled remotely. The trojan is usually a part of other malware.

Installation

The trojan may create the following files:

  • %commonappdata%\­{%variable1%}\­%filename%.dll (237568 B, Win32/Bedep.D)

The %filename% is one of the following strings:

  • acproxy
  • actxprxy
  • advpack
  • amstream
  • apphelp
  • appmgr
  • atidemgy
  • atl
  • blbEvents
  • brdgcfg
  • browser
  • bthci
  • certmgr
  • clfsw32
  • cmcfg32
  • cmpbk32
  • cnvfat
  • crypt32
  • csrsrv
  • d3d10
  • d3d10core
  • d3d11
  • d3d11ref
  • dbghelp
  • dbnmpntw
  • ddraw
  • ddrawex
  • devmgr
  • dhcpcsvc
  • dispex
  • Display
  • dps
  • esent
  • FntCache
  • framebuf
  • fwcfg
  • gameux
  • getuname
  • hal
  • hid
  • hlink
  • icmp
  • ieapfltr
  • ifsdrives
  • imagehlp
  • imgutil
  • input
  • ipsecsnp
  • kdcom
  • keyiso
  • keymgr
  • ksuser
  • ListSvc
  • localui
  • lsmproxy
  • mciwave
  • md
  • mf
  • mmsys
  • mpr
  • msoeacct
  • msvcirt
  • msvcp60
  • msxml3
  • mydocs
  • ndishc
  • neth
  • ntlanman
  • opengl32
  • p2pcollab
  • PeerDistSvc
  • perftrack
  • pngfilt
  • powercpl
  • prnntfy
  • propsys
  • provsvc
  • Query
  • qwave
  • rasadhlp
  • rasser
  • rdpcore
  • rdpencom
  • recovery
  • rtm
  • scksp
  • secproc
  • Sens
  • shdocvw
  • shsetup
  • softpub
  • spnet
  • spwizimg
  • srhelper
  • tapiui
  • tcpmon
  • thawbrkr
  • tpmcompc
  • tsmf
  • twain_32
  • ubpm
  • umpo
  • vcamp110d
  • vfcuzz
  • vfnws
  • vmstorfltres
  • vss_ps
  • wcnwiz
  • wdigest
  • wer
  • whealogr
  • winbio
  • wkscli
  • wkssvc
  • Wldap32
  • WMADMOE
  • wmdrmnet
  • WMVCORE
  • wpccpl
  • wrap_oal
  • wsdchngr
  • wshelper
  • wuapi
  • xrWCtmg2
  • xrWPpb4
  • xwizards
  • xwtpdui
  • zipfld

A string with variable content is used instead of %variable1-2% .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Classes\­CLSID\­{%variable2%}\­InProcServer32]
    • "(Default)" = "%commonappdata%\­{%variable1%}\­%filename%.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­Software\­Classes\­Drive\­ShellEx\­FolderExtensions\­{%variable2%}]
    • "DriveMask" = 4294967295
  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{%variable2%}\­InProcServer32]
    • "(Default)" = "%commonappdata%\­{%variable1%}\­%filename%.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_CURRENT_USER\­Software\­Classes\­Drive\­ShellEx\­FolderExtensions\­{%variable2%}]
    • "DriveMask" = 4294967295

This way the trojan injects its code into specific processes.


The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The trojan may execute the following commands:

  • taskhost.exe
  • explorer.exe
  • winrshost.exe
  • conhost.exe
  • notepad.exe

The trojan creates and runs a new thread with its own code within these running processes.

Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • www.earthtools.org
  • www.google.com
  • www.ecb.europa.eu

The trojan hooks the following Windows APIs:

  • MessageBoxIndirectW (user32.dll)
  • MessageBoxTimeoutW (user32.dll)
  • DialogBoxIndirectParamAorW (user32.dll)
  • ExitProcess (kernel32.dll)
  • NtTerminateProcess (kernel32.dll)

The trojan may display the following fake dialog boxes:

Please enable Javascript to ensure correct displaying of this content and refresh this page.