Win32/Spy.Bebloh [Threat Name] go to Threat

Win32/Spy.Bebloh.K [Threat Variant Name]

Category trojan
Size 221184 B
Detection created Aug 06, 2013
Detection database version 10068
Aliases Trojan-Dropper.Win32.Injector.krxr (Kaspersky)
  TrojanSpy:Win32/Shiotob.B (Microsoft)
  Trojan.Bebloh (Symantec)
Short description

Win32/Spy.Bebloh.K is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %programfiles%\­Windows NT\­%string1%%variable%%string2%.exe
  • %appdata%\­%string1%%variable%%string2%.exe

A string with variable content is used instead of %variable% .


The %string1-2% is one of the following strings:

  • def
  • dns
  • exec
  • hlp
  • logon
  • mem
  • mixer
  • mon
  • pack
  • play
  • setup
  • srv
  • user
  • video
  • win
  • win

The trojan may create the following files:

  • %currentfolder%\­%originalmalwarefilename%.lnk
  • %programfiles%\­Windows NT\­%string1%%variable%%string2%.lnk
  • %appdata%\­%string1%%variable%%string2%.lnk

These are shortcuts to files of the trojan .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%currentfolder%\­%originalmalwarefilename%.lnk"
    • "%string1%%variable%%string2%" = "%programfiles%\­Windows NT\­%string1%%variable%%string2%.lnk"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%currentfolder%\­%originalmalwarefilename%.lnk"
    • "%string1%%variable%%string2%" = "%appdata%\­%string1%%variable%%string2%.lnk"

This causes the trojan to be executed on every system start.


The trojan hooks the following Windows APIs:

  • closesocket (wsock32.dll)
  • connect (wsock32.dll)
  • send (wsock32.dll)
  • InternetReadFile (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpOpenRequestA (wininet.dll)
  • HttpOpenRequestW (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetReadFileExA (wininet.dll)
  • InternetReadFileExW (wininet.dll)
  • HttpQueryInfoA (wininet.dll)
  • HttpQueryInfoW (wininet.dll)
  • PR_Write (nspr4.dll)
  • PR_Read (nspr4.dll)
  • PR_Close (nspr4.dll)

The trojan creates and runs a new thread with its own program code within the following processes:

  • avant.exe
  • cftp.exe
  • chrome.exe
  • coreftp.exe
  • explorer.exe
  • filezilla.exe
  • firefox.exe
  • ftpte.exe
  • FTPVoyager.exe
  • iexplore.exe
  • maxthon.exe
  • mozilla.exe
  • msimn.exe
  • myie.exe
  • opera.exe
  • OUTLOOK.EXE
  • SmartFTP.exe
  • thebat.exe
  • TOTALCMD.EXE
  • WinSCP.exe

The trojan quits immediately if it is run within a debugger.

Information stealing

Win32/Spy.Bebloh.K is a trojan that steals sensitive information.


The trojan collects various information when a certain application is being used.


The following programs are affected:

  • Avant Browser
  • CoreFTP
  • CuteFTP
  • FileZilla
  • FTP Voyager
  • Google Chrome
  • Internet Explorer
  • Maxthon Browser
  • Microsoft Outlook
  • Mozilla Firefox
  • MyIE2
  • Netscape
  • Opera
  • Outlook Express
  • SmartFTP
  • The Bat! E-Mail Client
  • Total Commander
  • WinSCP

The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • HTML forms content
  • e-mail addresses
  • e-mail accounts data
  • operating system version
  • FTP account information

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • monitor network traffic
  • modify the content of websites
  • capture screenshots
  • send gathered information

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable%]
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable%]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.