MSIL/Bepush [Threat Name] go to Threat
MSIL/Bepush.A [Threat Variant Name]
Category | trojan |
Size | 3016704 B |
Aliases | TrojanDropper:MSIL/Bepush.A (Microsoft) |
Short description
MSIL/Bepush.A is a trojan which tries to download other malware from the Internet.
Installation
When executed, the trojan creates the following files:
- %commonappdata%\Extension\Extension.exe (1538560 B, MSIL/Bepush.A)
- %commonappdata%\Extension\Ionic.Zip.dll (462336 B)
- %commonappdata%\Extension\log_%variable1%.txt
- %commonappdata%\Extension\System.Data.SQLite.dll (986624 B)
- %commonappdata%\Extension\Updater.exe (5120 B, MSIL/TrojanDownloader.Small.BM)
A string with variable content is used instead of %variable1% .
The trojan executes the following files:
- %commonappdata%\Extension\Extension.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Extension" = "%commonappdata%\Extension\Extension.exe"
Other information
MSIL/Bepush.A is a trojan which tries to download other malware from the Internet.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains an URL address. The HTTP protocol is used.
The trojan will attempt to download several files from the Internet.
These are stored in the following locations:
- %commonappdata%\Extension\Extensions\%variable2%
The trojan may set the following Registry entries:
- [HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\%variable3%]
- "Path" = "%commonappdata%\Extension\Extensions\%variable2%"
- "Version" = "%variable4%"
- [HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\%variable3%]
- "Path" = "%commonappdata%\Extension\Extensions\%variable2%"
- "Version" = "%variable4%"
- [HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
- "%variable5%" = "%commonappdata%\Extension\Extensions\%variable5%\"
- [HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions]
- "%variable5%" = "%commonappdata%\Extension\Extensions\%variable5%\"
A string with variable content is used instead of %variable2-5% .
The following programs are terminated:
- chrome.exe
- firefox.exe
Trojan requires the Microsoft .NET Framework to run.