Win32/Bayrob [Threat Name] go to Threat
Win32/Bayrob.Y [Threat Variant Name]
| Category | trojan |
| Size | 356352 B |
| Aliases | Trojan.Bayrob.5 (Dr.Web) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %systemdrive%\ksttegcuapdql\rj%variable%xg5cqh.exe
- %userprofile%\ksttegcuapdql\rj%variable%xg5cqh.exe
- %temp%\ksttegcuapdql\rj%variable%xg5cqh.exe
- %systemdrive%\ksttegcuapdql\vlnlprcsiz.exe
- %userprofile%\ksttegcuapdql\vlnlprcsiz.exe
- %temp%\ksttegcuapdql\vlnlprcsiz.exe
- %systemdrive%\ksttegcuapdql\acvswvu.exe
- %userprofile%\ksttegcuapdql\acvswvu.exe
- %temp%\ksttegcuapdql\acvswvu.exe
A string with variable content is used instead of %variable% .
The trojan registers itself as a system service using the following name:
- Installer Connectivity Store Driver
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "DNS Discovery Service Store Device" = "%malwarefolder%\vlnlprcsiz.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "DNS Discovery Service Store Device" = "%malwarefolder%\vlnlprcsiz.exe"
This causes the trojan to be executed on every system start.
Information stealing
The trojan collects the following information:
- operating system version
- computer name
- computer IP address
- information about the operating system and system settings
- the path to specific folders
- list of running services
The trojan can send the information to a remote machine.
The HTTP protocol is used.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan generates various URL addresses. The HTTP protocol is used.
It can execute the following operations:
- send gathered information
- send the list of running processes to a remote computer
- download files from a remote computer and/or the Internet
- run executable files
The trojan displays a fake error message:
