Win32/Spy.Bebloh [Threat Name] go to Threat
Win32/Spy.Bebloh.O [Threat Variant Name]
| Category | trojan |
| Size | 184352 B |
| Aliases | Trojan.Win32.Inject.acbmp (Kaspersky) |
| Trojan.DownLoader23.15820 (Dr.Web) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- %programfiles%\Windows NT\%variable1%%variable2%%variable3%.exe
- %appdata%\%variable1%%variable2%%variable3%.exe
The trojan may create the following files:
- %programfiles%\Windows NT\%variable1%%variable2%%variable3%.lnk
- %appdata%\%variable1%%variable2%%variable3%.lnk
These are shortcuts to files of the trojan .
The trojan may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "%variable1%%variable2%%variable3%" = "%programfiles%\Windows NT\%variable1%%variable2%%variable3%.lnk"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
- "%variable1%%variable2%%variable3%" = "%appdata%\%variable1%%variable2%%variable3%.lnk"
This causes the trojan to be executed on every system start.
The %variable1% is one of the following strings:
- win
- video
- def
- mem
- win
- dns
- user
- logon
- hlp
- mixer
- pack
- mon
- srv
- exec
- play
A string with variable content is used instead of %variable2% .
The %variable3% is one of the following strings:
- (empty string)
- win
- video
- def
- mem
- win
- dns
- user
- logon
- hlp
- mixer
- pack
- mon
- srv
- exec
- play
The trojan launches the following processes:
- %originalmalwarefilepath%
- %windir%\explorer.exe
- %windir%\SysWOW64\explorer.exe
- %programfiles%\Internet Explorer\iexplore.exe
The trojan creates and runs a new thread with its own code within these running processes.
The trojan terminates its execution if it detects that it's running in a specific virtual environment.
Trojan quits immediately if it detects loaded module within its own process containing one of the following strings in its name:
- sbiedll.dll
The trojan quits immediately if it is run within a debugger.
The trojan quits immediately if the executable file path contains one of the following strings:
- SANDBOX
- VIRUS
- SAMPLE
After the installation is complete, the trojan deletes the original executable file.
Information stealing
The trojan collects the following information:
- computer IP address
- language settings
- proxy server settings
- information about the operating system and system settings
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The trojan generates various URL addresses. The HTTPS protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- create Registry entries
- update itself to a newer version
- stop itself for a certain time period
The trojan keeps various information in the following Registry keys:
- [HKEY_LOCAL_MACHINE\SOFTWARE\%variable%]
- [HKEY_CURRENT_USER\SOFTWARE\%variable%]
A string with variable content is used instead of %variable% .