MSIL/Bepush [Threat Name] go to Threat

MSIL/Bepush.A [Threat Variant Name]

Category	trojan
Size	3016704 B
Detection created	Feb 15, 2013
Detection database version	8014
Aliases	TrojanDropper:MSIL/Bepush.A (Microsoft)

MSIL/Bepush.A is a trojan which tries to download other malware from the Internet.

When executed, the trojan creates the following files:

A string with variable content is used instead of %variable1% .

The trojan executes the following files:

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Extension" = "%commonappdata%\Extension\Extension.exe"

MSIL/Bepush.A is a trojan which tries to download other malware from the Internet.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains an URL address. The HTTP protocol is used.

The trojan will attempt to download several files from the Internet.

These are stored in the following locations:

The trojan may set the following Registry entries:

[HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions\%variable3%]
- "Path" = "%commonappdata%\Extension\Extensions\%variable2%"
- "Version" = "%variable4%"
[HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\%variable3%]
- "Path" = "%commonappdata%\Extension\Extensions\%variable2%"
- "Version" = "%variable4%"
[HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions]
- "%variable5%" = "%commonappdata%\Extension\Extensions\%variable5%\"
[HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions]
- "%variable5%" = "%commonappdata%\Extension\Extensions\%variable5%\"

A string with variable content is used instead of %variable2-5% .

The following programs are terminated:

Trojan requires the Microsoft .NET Framework to run.