Win32/Bergard [Threat Name] go to Threat

Win32/Bergard.A [Threat Variant Name]

Category trojan
Size 98790 B
Detection created Dec 14, 2014
Detection database version 10874
Aliases Trojan.Win32.Bergard.b (Kaspersky)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan is probably a part of other malware.


The trojan may create copies of itself using the following filenames:

  • %localappdata%\­wsuservice.dll

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "wsuservice" = "rundll32.exe "%localappdata%\­wsuservice.dll",start"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer\­Run]
    • "wsuservice" = "rundll32.exe "%localappdata%\­wsuservice.dll",start"

This causes the trojan to be executed on every system start.

Information stealing

The following information is collected:

  • computer name
  • information about the operating system and system settings
  • installed Microsoft Windows patches
  • manufacturer of the product/hardware
  • CPU information
  • locale
  • memory status
  • network adapter information
  • computer IP address
  • MAC address
  • list of running processes

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a URL address. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • execute shell commands
  • send the output of the executed program
  • send gathered information

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap\­Domains\­/iad12s04-in-f22.%removed%.net/irwravxrc/]
    • "http" = %Trusted sites zone number%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Internet Settings\­ZoneMap\­Domains\­/iad12s04-in-f22.%removed%.net/irwravxrc/]
    • "https" = %Trusted sites zone number%

The trojan may create the following files:

  • %system%\­wsuservice%variable%.exe
  • %system%\­ProgramData\­Microsoft\­wsuservice%variable%.exe
  • %system%\­PerfLogs\­wsuservice%variable%.exe
  • %system%\­ProgramData\­wsuservice%variable%.exe
  • %internet%\­wsuservice%variable%.exe
  • %localappdata%\­wsuservice%variable%.exe
  • %commonappdata%\­wsuservice%variable%.exe
  • %appdata%\­wsuservice%variable%.exe
  • %templates%\­wsuservice%variable%.exe
  • %commonadmintools%\­wsuservice%variable%.exe
  • %temp%\­wsuservice%variable%.exe
  • %currentfolder%\­wsuser%variable%.scr

Please enable Javascript to ensure correct displaying of this content and refresh this page.