Win32/Bayrob [Threat Name] go to Threat
Win32/Bayrob.AQ [Threat Variant Name]
| Category | trojan |
| Size | 357376 B |
| Detection created | Dec 23, 2015 |
| Detection database version | 12767 |
| Aliases | Trojan.Win32.Bayrob.rt (Kaspersky) |
| TrojanSpy:Win32/Nivdort!rfn (Microsoft) | |
| Trojan.DownLoader18.18980 (Dr.Web) | |
| TR/Boryab.357376.17 (Avira) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed the trojan copies itself in the following locations:
- %installfolder%\fycgjo33og36pb4ygbl.exe
- %installfolder%\hqwvnfux.exe
- %installfolder%\aptrfweidgr.exe
The %installfolder% is one of the following strings:
- %systemvolume%\mdvsxoyirmnniek
- %userprofile%\Local Settings\Application Data\mdvsxoyirmnniek
- %userprofile%\AppData\Local\mdvsxoyirmnniek
- %temp%\mdvsxoyirmnniek
- %temp%
The trojan registers itself as a system service using the following name:
- SPP Manager Error BranchCache Endpoint Disk
This causes the trojan to be executed on every system start.
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "Networking Cryptographic" = "%installfolder%\hqwvnfux.exe"
This causes the trojan to be executed on every system start.
Information stealing
The trojan collects the following information:
- operating system version
- computer name
- computer IP address
- information about the operating system and system settings
- MAC address
- list of running services
The trojan can send the information to a remote machine.
The HTTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send the list of running processes to a remote computer
- send gathered information
- update itself to a newer version
The trojan displays a fake error message:
