Win32/Spy.Bebloh [Threat Name] go to Threat

Win32/Spy.Bebloh.J [Threat Variant Name]

Category trojan
Size 297357 B
Detection created May 29, 2012
Detection database version 7179
Aliases Trojan.Win32.Bublik.akrr (Kaspersky)
  VirTool:Win32/CeeInject (Microsoft)
  Trojan.Bebloh (Symantec)
Short description

Win32/Spy.Bebloh.J is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using RAR SFX .

Installation

When executed, the trojan creates the following files:

  • %currentfolder%\­Adobe.exe (183357 B, Win32/Spy.Bebloh.J)
  • %currentfolder%\­CONLEYS_Modekontor_GmbH.pdf (23 B)

The trojan executes the following files:

  • %currentfolder%\­Adobe.exe (183357 B, Win32/Spy.Bebloh.J)

The trojan creates copies of the following files (source, destination):

  • %currentfolder%\­Adobe.exe, %system%\­%prefix%%variable%%suffix%.exe

The %prefix% is one of the following strings:

  • def
  • dns
  • mem
  • video
  • win

The %suffix% is one of the following strings:

  • exec
  • hlp
  • logon
  • mixer
  • mon
  • pack
  • play
  • setup
  • srv
  • user

A string with variable content is used instead of %variable% .


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit" = "userinit.exe, %prefix%%variable%%suffix%.exe"
  • [HKEY_LOCAL_MAHCINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­userinit.exe]
    • "Debugger" = "%system%\­%prefix%%variable%%suffix%.exe"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%prefix%%variable%%suffix%.exe" = "%system%\­%prefix%%variable%%suffix%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%prefix%%variable%%suffix%.exe" = "%system%\­%prefix%%variable%%suffix%.exe"

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1609" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­Zones\­3]
    • "1609" = 0

The trojan hooks the following Windows APIs:

  • closesocket (ws2_32.dll)
  • connect (ws2_32.dll)
  • CreateProcessAsUserW (advapi32.dll):
  • CreateProcessW (kernel32.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpQueryInfoW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetConnectA (wininet.dll)
  • InternetConnectW (wininet.dll)
  • InternetOpenA (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • PR_DestroyPollableEvent (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Write (nspr4.dll)
  • send (ws2_32.dll)
  • ZwSetValueKey (ntdll.dll)

The trojan creates and runs a new thread with its own program code within the following processes:

  • avant.exe
  • cftp.exe
  • coreftp.exe
  • explorer.exe
  • explorer.exe
  • filezilla.exe
  • firefox.exe
  • ftpte.exe
  • FTPVoyager.exe
  • iexplore.exe
  • iexplore.exe
  • maxthon.exe
  • mozilla.exe
  • msimn.exe
  • myie.exe
  • OUTLOOK.EXE
  • SmartFTP.exe
  • smss.exe
  • svchost.exe
  • thebat.exe
  • TOTALCMD.EXE
  • winlogon.exe
  • WinSCP.exe

The following file is deleted:

  • %currentfolder%\­Adobe.exe
Information stealing

Win32/Spy.Bebloh.J is a trojan that steals sensitive information.


The trojan collects various information when a certain application is being used.


The following programs are affected:

  • Internet Explorer
  • The Bat! E-Mail Client
  • Outlook Express
  • Microsoft Outlook
  • MyIE2
  • Mozilla Firefox
  • Netscape
  • Avant Browser
  • Maxthon Browser
  • CuteFTP
  • CoreFTP
  • FileZilla
  • Total Commander
  • FTP Commander Pro
  • FTP Voyager
  • SmartFTP
  • WinSCP

The trojan collects the following information:

  • operating system version
  • FTP account information
  • e-mail addresses
  • e-mail accounts data
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • HTML forms content
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (7) URLs. The HTTP protocol is used.


It can execute the following operations:

  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • uninstall itself
  • modify network traffic
  • redirect network traffic
  • monitor network traffic
  • modify website content
  • send gathered information
  • capture screenshots
  • send the list of running processes to a remote computer

The trojan checks for Internet connectivity by trying to connect to the following servers:

  • www.google.com

The trojan blocks execution of some programs.


The following programs are affected:

  • chrome.exe
  • navigator.exe
  • opera.exe
  • safari.exe

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­5.0]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­5.0]

Please enable Javascript to ensure correct displaying of this content and refresh this page.