Win32/Bayrob [Threat Name] go to Threat

Win32/Bayrob.AQ [Threat Variant Name]

Category trojan
Size 357376 B
Detection created Dec 23, 2015
Detection database version 12767
Aliases Trojan.Win32.Bayrob.rt (Kaspersky)
  TrojanSpy:Win32/Nivdort!rfn (Microsoft)
  Trojan.DownLoader18.18980 (Dr.Web)
  TR/Boryab.357376.17 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %installfolder%\­fycgjo33og36pb4ygbl.exe
  • %installfolder%\­hqwvnfux.exe
  • %installfolder%\­aptrfweidgr.exe

The %installfolder% is one of the following strings:

  • %systemvolume%\­mdvsxoyirmnniek
  • %userprofile%\­Local Settings\­Application Data\­mdvsxoyirmnniek
  • %userprofile%\­AppData\­Local\­mdvsxoyirmnniek
  • %temp%\­mdvsxoyirmnniek
  • %temp%

The trojan registers itself as a system service using the following name:

  • SPP Manager Error BranchCache Endpoint Disk

This causes the trojan to be executed on every system start.


The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Networking Cryptographic" = "%installfolder%\­hqwvnfux.exe"

This causes the trojan to be executed on every system start.

Information stealing

The trojan collects the following information:

  • operating system version
  • computer name
  • computer IP address
  • information about the operating system and system settings
  • MAC address
  • list of running services

The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send the list of running processes to a remote computer
  • send gathered information
  • update itself to a newer version

The trojan displays a fake error message:

Please enable Javascript to ensure correct displaying of this content and refresh this page.