Win32/Spy.Ranbyus [Threat Name] go to Threat

Win32/Spy.Ranbyus.B [Threat Variant Name]

Category trojan
Size 91648 B
Detection created Sep 30, 2010
Detection database version 5493
Aliases Trojan-Spy.Win32.Zbot.asjp (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
  Trojan.Zbot!gen9 (Symantec)
Short description

Win32/Spy.Ranbyus.B is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­sysrec32.exe

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "System Profiling" = "%system%\­sysrec32.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Sys.Profile"

The trojan creates and runs a new thread with its own program code within the following processes:

  • cbmain.ex
  • client32.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • java.exe
  • javaw.exe
  • opera.exe
  • putty.exe
  • svchost.exe
  • translink.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Spy.Ranbyus.B is a trojan that steals sensitive information.


The trojan collects information used to access the following site:

  • http://ibank.alfabank.ru

The trojan collects various information when Western Union Translink is being used.


The trojan can send the information to a remote machine.

Other information

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).


The trojan connects to the following addresses:

  • http://mirevil.in

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • shut down/restart the computer
  • delete cookies

The following information is collected:

  • computer name
  • volume serial number

The trojan may create the following files:

  • %temp%\­tmp%variable%.$$$

A string with variable content is used instead of %variable% .


The trojan can delete cookies.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%system%\­svchost.exe" = "%system%\­svchost.exe:*:Enabled:System Profiling"
  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%windir%\­explorer.exe" = "%windir%\­explorer.exe:*:Enabled:System Profiling"

The performed data entry creates an exception in the Windows Firewall program.

Please enable Javascript to ensure correct displaying of this content and refresh this page.