Win32/Bedep [Threat Name] go to Threat
Win32/Bedep.D [Threat Variant Name]
| Category | trojan |
| Size | 237568 B |
| Aliases | Backdoor.Win32.Bedep.cvd (Kaspersky) |
| Backdoor:Win32/Bedep.A (Microsoft) | |
| TR/Bedep.237568 (Avira) |
Short description
Win32/Bedep.D is a trojan which tries to download other malware from the Internet. It can be controlled remotely. The trojan is usually a part of other malware.
Installation
The trojan may create the following files:
- %commonappdata%\{%variable1%}\%filename%.dll (237568 B, Win32/Bedep.D)
The %filename% is one of the following strings:
- acproxy
- actxprxy
- advpack
- amstream
- apphelp
- appmgr
- atidemgy
- atl
- blbEvents
- brdgcfg
- browser
- bthci
- certmgr
- clfsw32
- cmcfg32
- cmpbk32
- cnvfat
- crypt32
- csrsrv
- d3d10
- d3d10core
- d3d11
- d3d11ref
- dbghelp
- dbnmpntw
- ddraw
- ddrawex
- devmgr
- dhcpcsvc
- dispex
- Display
- dps
- esent
- FntCache
- framebuf
- fwcfg
- gameux
- getuname
- hal
- hid
- hlink
- icmp
- ieapfltr
- ifsdrives
- imagehlp
- imgutil
- input
- ipsecsnp
- kdcom
- keyiso
- keymgr
- ksuser
- ListSvc
- localui
- lsmproxy
- mciwave
- md
- mf
- mmsys
- mpr
- msoeacct
- msvcirt
- msvcp60
- msxml3
- mydocs
- ndishc
- neth
- ntlanman
- opengl32
- p2pcollab
- PeerDistSvc
- perftrack
- pngfilt
- powercpl
- prnntfy
- propsys
- provsvc
- Query
- qwave
- rasadhlp
- rasser
- rdpcore
- rdpencom
- recovery
- rtm
- scksp
- secproc
- Sens
- shdocvw
- shsetup
- softpub
- spnet
- spwizimg
- srhelper
- tapiui
- tcpmon
- thawbrkr
- tpmcompc
- tsmf
- twain_32
- ubpm
- umpo
- vcamp110d
- vfcuzz
- vfnws
- vmstorfltres
- vss_ps
- wcnwiz
- wdigest
- wer
- whealogr
- winbio
- wkscli
- wkssvc
- Wldap32
- WMADMOE
- wmdrmnet
- WMVCORE
- wpccpl
- wrap_oal
- wsdchngr
- wshelper
- wuapi
- xrWCtmg2
- xrWPpb4
- xwizards
- xwtpdui
- zipfld
A string with variable content is used instead of %variable1-2% .
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{%variable2%}\InProcServer32]
- "(Default)" = "%commonappdata%\{%variable1%}\%filename%.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_LOCAL_MACHINE\Software\Classes\Drive\ShellEx\FolderExtensions\{%variable2%}]
- "DriveMask" = 4294967295
- [HKEY_CURRENT_USER\Software\Classes\CLSID\{%variable2%}\InProcServer32]
- "(Default)" = "%commonappdata%\{%variable1%}\%filename%.dll"
- "ThreadingModel" = "Apartment"
- [HKEY_CURRENT_USER\Software\Classes\Drive\ShellEx\FolderExtensions\{%variable2%}]
- "DriveMask" = 4294967295
This way the trojan injects its code into specific processes.
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe
The trojan may execute the following commands:
- taskhost.exe
- explorer.exe
- winrshost.exe
- conhost.exe
- notepad.exe
The trojan creates and runs a new thread with its own code within these running processes.
Information stealing
The trojan collects the following information:
- operating system version
- information about the operating system and system settings
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- uninstall itself
The trojan checks for Internet connectivity by trying to connect to the following servers:
- www.earthtools.org
- www.google.com
- www.ecb.europa.eu
The trojan hooks the following Windows APIs:
- MessageBoxIndirectW (user32.dll)
- MessageBoxTimeoutW (user32.dll)
- DialogBoxIndirectParamAorW (user32.dll)
- ExitProcess (kernel32.dll)
- NtTerminateProcess (kernel32.dll)
The trojan may display the following fake dialog boxes:
