Win32/Injector.BGNR [Threat Name] go to Threat

Win32/Injector.BGNR [Threat Variant Name]

Category trojan
Size 393944 B
Aliases Backdoor.Win32.Androm.endn (Kaspersky)
  VirTool:Win32/VBInject (Microsoft)
  Win32:VB-AIMA (Avast)
Short description

Win32/Injector.BGNR is a trojan that steals sensitive information. The trojan may redirect the user to the attacker's web sites.

Installation

When executed, the trojan copies itself into the following location:

  • %allusersprofile%\­%malwarefilename%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%malwarefilename%" = "%malwarefilename%.exe"
Other information

The trojan executes the following command:

  • ipconfig /flushdns

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tcpip\­Parameters]
    • "DhcpNameServer" = "185.1%removed%.57"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tcpip\­Parameters\­Interfaces\­%interface%]
    • "DhcpNameServer" = "185.1%removed%.57"
    • "NameServer" = "185.1%removed%.57"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­Dnscache\­Parameters]
    • "MaxCacheTtl" = 1
    • "MaxNegativeCacheTtl" = 0

The trojan may redirect the user to the attacker's web sites.


The trojan may display the following fake dialog boxes:

The trojan can terminate the following processes:

  • iexplore.exe
  • firefox.exe
  • chrome.exe

The trojan then removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.