Win32/Spy.Ranbyus [Threat Name] go to Threat

Win32/Spy.Ranbyus.I [Threat Variant Name]

Category trojan
Size 137728 B
Detection created Sep 03, 2012
Detection database version 10371
Aliases TrojanSpy:Win32/Ranbyus.G (Microsoft)
  Win32:Ranbyus-L (Avast)
Short description

Win32/Spy.Ranbyus.I is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.


When executed the trojan copies itself in the following locations:

  • %windir%\­system32\­BTHMHfEdbhiEIa.exe
  • %temp%\­BTHMHfEdbhiEIa.exe
  • %windir%\­system32\­ZcwpkUlThhkCuYVZkD.exe
  • %temp%\­ZcwpkUlThhkCuYVZkD.exe

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "yHFzmSmZujKRFlDJeCDwJpcJXP" = "%malwarefilepath%"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "yHFzmSmZujKRFlDJeCDwJpcJXP" = "%malwarefilepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "SysDebug32" = %data%

After the installation is complete, the trojan deletes the original executable file.

Information stealing

The trojan collects information related to the following applications:

  • firefox.exe
  • iexplore.exe
  • opera.exe
  • safari.exe
  • java.exe
  • javaw.exe
  • putty.exe
  • cbmain.ex
  • translink.exe
  • wclnt.exe
  • rclient.exe
  • tiny.exe
  • ip-client.exe
  • info.exe
  • webmoney.exe
  • ContactNG.exe
  • UniStream.exe
  • BBClient.exe

The trojan is able to log keystrokes.

The trojan collects sensitive information when the user browses certain web sites.

The trojan collects the following information:

  • list of running processes
  • network adapter information
  • list of disk devices and their type
  • list of files/folders on specific drive

The trojan attempts to send gathered files to a remote machine.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • shut down/restart the computer
  • send files to a remote computer
  • send the list of files on specific drive to a remote computer
  • capture screenshots
  • log keystrokes
  • delete files
  • delete cookies
  • uninstall itself
  • set up a proxy server

The trojan can create and run a new thread with its own program code within the following processes:

  • svchost.exe
  • explorer.exe

The trojan hooks the following Windows APIs:

  • PR_Write (nspr4.dll)
  • HttpSendRequestW (wininet.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestExA (wininet.dll)
  • InternetWriteFile (wininet.dll)
  • GetOpenFileNameW (comdlg32.dll)
  • connect (ws2_32.dll)
  • GetWindowLongW (user32.dll)
  • CreateFileA (kernel32.dll)

The trojan may display a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.