Win32/Spy.Bebloh [Threat Name] go to Threat
Win32/Spy.Bebloh.J [Threat Variant Name]
| Category | trojan |
| Size | 297357 B |
| Aliases | Trojan.Win32.Bublik.akrr (Kaspersky) |
| VirTool:Win32/CeeInject (Microsoft) | |
| Trojan.Bebloh (Symantec) |
Short description
Win32/Spy.Bebloh.J is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The file is run-time compressed using RAR SFX .
Installation
When executed, the trojan creates the following files:
- %currentfolder%\Adobe.exe (183357 B, Win32/Spy.Bebloh.J)
- %currentfolder%\CONLEYS_Modekontor_GmbH.pdf (23 B)
The trojan executes the following files:
- %currentfolder%\Adobe.exe (183357 B, Win32/Spy.Bebloh.J)
The trojan creates copies of the following files (source, destination):
- %currentfolder%\Adobe.exe, %system%\%prefix%%variable%%suffix%.exe
The %prefix% is one of the following strings:
- def
- dns
- mem
- video
- win
The %suffix% is one of the following strings:
- exec
- hlp
- logon
- mixer
- mon
- pack
- play
- setup
- srv
- user
A string with variable content is used instead of %variable% .
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Userinit" = "userinit.exe, %prefix%%variable%%suffix%.exe"
- [HKEY_LOCAL_MAHCINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe]
- "Debugger" = "%system%\%prefix%%variable%%suffix%.exe"
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%prefix%%variable%%suffix%.exe" = "%system%\%prefix%%variable%%suffix%.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%prefix%%variable%%suffix%.exe" = "%system%\%prefix%%variable%%suffix%.exe"
The following Registry entries are set:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1609" = 0
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
- "1609" = 0
The trojan hooks the following Windows APIs:
- closesocket (ws2_32.dll)
- connect (ws2_32.dll)
- CreateProcessAsUserW (advapi32.dll):
- CreateProcessW (kernel32.dll)
- HttpOpenRequestA (wininet.dll)
- HttpOpenRequestW (wininet.dll)
- HttpQueryInfoA (wininet.dll)
- HttpQueryInfoW (wininet.dll)
- HttpSendRequestA (wininet.dll)
- HttpSendRequestW (wininet.dll)
- InternetCloseHandle (wininet.dll)
- InternetConnectA (wininet.dll)
- InternetConnectW (wininet.dll)
- InternetOpenA (wininet.dll)
- InternetQueryDataAvailable (wininet.dll)
- InternetReadFile (wininet.dll)
- InternetReadFileExA (wininet.dll)
- InternetReadFileExW (wininet.dll)
- PR_DestroyPollableEvent (nspr4.dll)
- PR_Read (nspr4.dll)
- PR_Write (nspr4.dll)
- send (ws2_32.dll)
- ZwSetValueKey (ntdll.dll)
The trojan creates and runs a new thread with its own program code within the following processes:
- avant.exe
- cftp.exe
- coreftp.exe
- explorer.exe
- explorer.exe
- filezilla.exe
- firefox.exe
- ftpte.exe
- FTPVoyager.exe
- iexplore.exe
- iexplore.exe
- maxthon.exe
- mozilla.exe
- msimn.exe
- myie.exe
- OUTLOOK.EXE
- SmartFTP.exe
- smss.exe
- svchost.exe
- thebat.exe
- TOTALCMD.EXE
- winlogon.exe
- WinSCP.exe
The following file is deleted:
- %currentfolder%\Adobe.exe
Information stealing
Win32/Spy.Bebloh.J is a trojan that steals sensitive information.
The trojan collects various information when a certain application is being used.
The following programs are affected:
- Internet Explorer
- The Bat! E-Mail Client
- Outlook Express
- Microsoft Outlook
- MyIE2
- Mozilla Firefox
- Netscape
- Avant Browser
- Maxthon Browser
- CuteFTP
- CoreFTP
- FileZilla
- Total Commander
- FTP Commander Pro
- FTP Voyager
- SmartFTP
- WinSCP
The trojan collects the following information:
- operating system version
- FTP account information
- e-mail addresses
- e-mail accounts data
- login user names for certain applications/services
- login passwords for certain applications/services
- HTML forms content
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (7) URLs. The HTTP protocol is used.
It can execute the following operations:
- update itself to a newer version
- download files from a remote computer and/or the Internet
- run executable files
- set up a proxy server
- uninstall itself
- modify network traffic
- redirect network traffic
- monitor network traffic
- modify website content
- send gathered information
- capture screenshots
- send the list of running processes to a remote computer
The trojan checks for Internet connectivity by trying to connect to the following servers:
- www.google.com
The trojan blocks execution of some programs.
The following programs are affected:
- chrome.exe
- navigator.exe
- opera.exe
- safari.exe
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0]
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0]