Win32/Bhottle [Threat Name] go to Threat

Win32/Bhottle.B [Threat Variant Name]

Category trojan
Size 1224704 B
Detection created Jul 01, 2015
Detection database version 11874
Aliases Trojan-Dropper.Win32.Agent.bizirz (Kaspersky)
  Trojan.MulDrop5.59021 (Dr.Web)
  TrojanDownloader:Win32/Regonid (Microsoft)
Short description

Win32/Bhottle.B is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan creates the following files:

  • %temp%\­IXP%variable1%.TMP\­Surface2TheNoiseSheCouldntMakeCE.exe (57344 B, Win32/Bhottle.B)
  • %temp%\­IXP%variable1%.TMP\­Surface2TheNoiseSheCouldntMakeCE.exe.dll (208896 B, Win32/Bhottle.A)
  • %temp%\­IXP%variable1%.TMP\­Surface2TheNoiseSheCouldntMakeCE.exe.dll.dll (77824 B, Win32/Bhottle.A)
  • %temp%\­IXP%variable1%.TMP\­3421283033 (62077 B)
  • %temp%\­IXP%variable1%.TMP\­COMMDING29 (55543 B)
  • %temp%\­IXP%variable1%.TMP\­Mittelwelle (72580 B)
  • %temp%\­IXP%variable1%.TMP\­TilePattern17 (40837 B)
  • %temp%\­_Surface2TheNoiseSheCouldntMakeCE.exe (1627648 B)
  • %temp%\­IXP%variable1%.TMP\­cvx2433 (27303 B)
  • %temp%\­IXP%variable1%.TMP\­enrafexl (95278 B)
  • %temp%\­IXP%variable1%.TMP\­msdasqlr (78438 B)
  • %temp%\­IXP%variable1%.TMP\­pair222 (172 B)
  • %temp%\­IXP%variable1%.TMP\­smcrls (64954 B)
  • %temp%\­IXP%variable1%.TMP\­482329.dll (61440 B, Win32/Bhottle.B)
  • %system%\­%variable2%.dll (208896 B, Win32/Bhottle.A)
  • %system%\­%variable3%.dll (77824 B, Win32/Bhottle.A)
  • %system%\­%variable4%.nls (7650 B)
  • %system%\­%variable5%.nls (599 B)
  • %system%\­%variable6%.nls (397 B)
  • %system%\­%variable7%.nls (417 B)
  • %system%\­%variable8%.nls (94214 B)
  • %system%\­%variable9%.exe (45056 B, Win32/BHO.OFF)
  • %system%\­%variable10%.dll (94208 B, Win32/BHO.OEA)
  • %system%\­%variable11%\­inf%variable11%.dat

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • "wextract_cleanup%variable12%" = "rundll32.exe %system%\­advpack.dll,DelNodeRunDLL32 "%temp%\­IXP%variable1%.TMP\­""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "RegistrationID" = %binaryvalue%

The trojan registers the file %system%\%variable10%.dll as a Browser Helper Object module in Internet Explorer .


The following Registry entries are set:

  • [HKEY_CLASSES_ROOT\­CLSID\­{%variable13%}]
    • "(Default)" = "Groove Folder Synchronization"
  • [HKEY_CLASSES_ROOT\­CLSID\­{%variable13%}\­InprocServer32]
    • "(Deafult)" = "%system%\­%variable9%.exe "
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Browser Helper Objects\­{%variable13%}]
    • "NoExplorer" = 1

The trojan schedules a task that causes the following file to be executed repeatedly:

  • %system%\­%variable9%.exe

The trojan runs the following processes:

  • %temp%\­IXP%variable1%.TMP\­Surface2TheNoiseSheCouldntMakeCE.exe
  • %temp%\­_Surface2TheNoiseSheCouldntMakeCE.exe (1627648 B)

A string with variable content is used instead of %variable1-13% .


The name of the file may be based on the name of an existing file or folder.


After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects sensitive information when the user browses certain web sites.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services

The following programs are affected:

  • Internet Explorer

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (41) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • redirect network traffic
  • block access to specific websites
  • send gathered information

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Policies\­Ext]
    • "IgnoreFrameApprovalCheck" = 1
    • "DisableAddonLoadTimePerformanceNotifications" = 1

Please enable Javascript to ensure correct displaying of this content and refresh this page.