Win32/Spy.Hesperbot [Threat Name] go to Threat

Win32/Spy.Hesperbot.A [Threat Variant Name]

Category trojan
Size 347648 B
Detection created Aug 21, 2013
Detection database version 8713
Short description

The trojan serves as a backdoor. It can be controlled remotely.


When executed the trojan copies itself in the following locations:

  • %windir%\­%variable1%.exe
  • %windir%\­%variable2\­%variable1%.exe
  • %commonappdata%\­%variable1%.exe
  • %commonappdata%\­%variable2\­%variable1%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%windir%\­%variable1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%windir%\­%variable1%.exe"

The trojan may create the following files:

  • %commonappdata%\­%variable1%\­%variable2%.dat
  • %commonappdata%\­Sun\­%variable2%.bkp

A string with variable content is used instead of %variable1-3% .

The trojan creates and runs a new thread with its own program code in all running processes.

Information stealing

Win32/Spy.Hesperbot.A is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • computer IP address
  • external IP address of the network device
  • hardware information

The trojan collects sensitive information when the user browses certain web sites.

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome
  • Opera
  • Apple Safari
  • Yandex Browser
  • SeaMonkey
  • K-Meleon
  • Maxthon
  • Avant Browser
  • Sleipnir
  • Deepnet Explorer

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a URL address. The HTTPS protocol is used in the communication.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • monitor network traffic
  • modify network traffic
  • capture video of the user's desktop
  • capture screenshots
  • set up a proxy server
  • log keystrokes
  • set up a remote control server

The trojan hooks the following Windows APIs:

  • WSPCloseSocket (mswsock.dll)
  • WSPConnect (mswsock.dll)
  • WSPIoctl (mswsock.dll)
  • WSPSocket (mswsock.dll)
  • CertVerifyCertificateChainPolicy (crypt32.dll)
  • CertGetCertificateChain (crypt32.dll)
  • CERT_VerifyCertificate (nss3.dll)
  • CERT_VerifyCert (nss3.dll)
  • CERT_VerifyCertificateNow (nss3.dll)
  • CERT_VerifyCertNow (nss3.dll)
  • CERT_VerifyCertName (nss3.dll)
  • GetMessagePos (user32.dll)
  • GetCursorPos (user32.dll)
  • SetCursorPos (user32.dll)
  • SetCapture (user32.dll)
  • ReleaseCapture (user32.dll)
  • GetCapture (user32.dll)
  • GetMessageA (user32.dll)
  • GetMessageW (user32.dll)
  • PeekMessageA (user32.dll)
  • PeekMessageW (user32.dll)
  • OpenDesktopA (user32.dll)
  • OpenDesktopW (user32.dll)
  • OpenInputDesktop (user32.dll)
  • SwitchDesktop (user32.dll)
  • GetDC (user32.dll)
  • GetDCEx (user32.dll)
  • GetDCOrgEx (user32.dll)
  • GetWindowDC (user32.dll)
  • WindowFromDC (user32.dll)
  • ReleaseDC (user32.dll)
  • BeginPaint (user32.dll)
  • EndPaint (user32.dll)
  • GetUpdateRect (user32.dll)
  • GetUpdateRgn (user32.dll)
  • SetDIBitsToDevice (user32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.