MSIL/Bepush [Threat Name] go to Threat

MSIL/Bepush.A [Threat Variant Name]

Category trojan
Size 3016704 B
Aliases TrojanDropper:MSIL/Bepush.A (Microsoft)
Short description

MSIL/Bepush.A is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %commonappdata%\­Extension\­Extension.exe (1538560 B, MSIL/Bepush.A)
  • %commonappdata%\­Extension\­Ionic.Zip.dll (462336 B)
  • %commonappdata%\­Extension\­log_%variable1%.txt
  • %commonappdata%\­Extension\­System.Data.SQLite.dll (986624 B)
  • %commonappdata%\­Extension\­Updater.exe (5120 B, MSIL/TrojanDownloader.Small.BM)

A string with variable content is used instead of %variable1% .


The trojan executes the following files:

  • %commonappdata%\­Extension\­Extension.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Extension" = "%commonappdata%\­Extension\­Extension.exe"
Other information

MSIL/Bepush.A is a trojan which tries to download other malware from the Internet.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains an URL address. The HTTP protocol is used.


The trojan will attempt to download several files from the Internet.


These are stored in the following locations:

  • %commonappdata%\­Extension\­Extensions\­%variable2%

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Google\­Chrome\­Extensions\­%variable3%]
    • "Path" = "%commonappdata%\­Extension\­Extensions\­%variable2%"
    • "Version" = "%variable4%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Wow6432Node\­Google\­Chrome\­Extensions\­%variable3%]
    • "Path" = "%commonappdata%\­Extension\­Extensions\­%variable2%"
    • "Version" = "%variable4%"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Wow6432Node\­Mozilla\­Firefox\­Extensions]
    • "%variable5%" = "%commonappdata%\­Extension\­Extensions\­%variable5%\­"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Mozilla\­Firefox\­Extensions]
    • "%variable5%" = "%commonappdata%\­Extension\­Extensions\­%variable5%\­"

A string with variable content is used instead of %variable2-5% .


The following programs are terminated:

  • chrome.exe
  • firefox.exe

Trojan requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.