Win32/Spy.Bebloh [Threat Name] go to Threat

Win32/Spy.Bebloh.O [Threat Variant Name]

Category trojan
Size 184352 B
Detection created Oct 24, 2016
Detection database version 14328
Aliases Trojan.Win32.Inject.acbmp (Kaspersky)
  Trojan.DownLoader23.15820 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %programfiles%\­Windows NT\­%variable1%%variable2%%variable3%.exe
  • %appdata%\­%variable1%%variable2%%variable3%.exe

The trojan may create the following files:

  • %programfiles%\­Windows NT\­%variable1%%variable2%%variable3%.lnk
  • %appdata%\­%variable1%%variable2%%variable3%.lnk

These are shortcuts to files of the trojan .


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable1%%variable2%%variable3%" = "%programfiles%\­Windows NT\­%variable1%%variable2%%variable3%.lnk"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­
    • "%variable1%%variable2%%variable3%" = "%appdata%\­%variable1%%variable2%%variable3%.lnk"

This causes the trojan to be executed on every system start.


The %variable1% is one of the following strings:

  • win
  • video
  • def
  • mem
  • win
  • dns
  • user
  • logon
  • hlp
  • mixer
  • pack
  • mon
  • srv
  • exec
  • play

A string with variable content is used instead of %variable2% .


The %variable3% is one of the following strings:

  • (empty string)
  • win
  • video
  • def
  • mem
  • win
  • dns
  • user
  • logon
  • hlp
  • mixer
  • pack
  • mon
  • srv
  • exec
  • play

The trojan launches the following processes:

  • %originalmalwarefilepath%
  • %windir%\­explorer.exe
  • %windir%\­SysWOW64\­explorer.exe
  • %programfiles%\­Internet Explorer\­iexplore.exe

The trojan creates and runs a new thread with its own code within these running processes.


The trojan terminates its execution if it detects that it's running in a specific virtual environment.


Trojan quits immediately if it detects loaded module within its own process containing one of the following strings in its name:

  • sbiedll.dll

The trojan quits immediately if it is run within a debugger.


The trojan quits immediately if the executable file path contains one of the following strings:

  • SANDBOX
  • VIRUS
  • SAMPLE

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects the following information:

  • computer IP address
  • language settings
  • proxy server settings
  • information about the operating system and system settings

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The trojan generates various URL addresses. The HTTPS protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • create Registry entries
  • update itself to a newer version
  • stop itself for a certain time period

The trojan keeps various information in the following Registry keys:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­%variable%]
  • [HKEY_CURRENT_USER\­SOFTWARE\­%variable%]

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.