Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Bebloh.A

Aliases:Trojan-Downloader.Win32.Piker.sc (Kaspersky), Downloader.Generic9.ABMZ (AVG) 
Type of infiltration:Trojan  
Size:79360 B 
Affected platforms:Microsoft Windows 
Signature database version:4860 (20100212) 

Short description

The trojan contains a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in the %system% folder using the following filename:
  • %random_name%.exe (79360 B)
A string with variable content is used instead of %random_name%.

The trojan deletes the original file.

In order to be executed on system start, the trojan sets the following Registry entry:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsuserinit.exe]
    "Debugger" = "%random_name%.exe"
The trojan creates and runs a new thread with its own program code within the following processes:
  • csrss.exe
  • svchost.exe
  • thebat.exe
  • msimn.exe
  • iexplore.exe
  • explorer.exe
  • csrss.exe
  • svchost.exe
  • thebat.exe
  • msimn.exe
  • iexplore.exe
  • explorer.exe
  • myie.exe
  • firefox.exe
  • avant.exe
  • mozilla.exe
  • maxthon.exe

Other information

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsopera.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsnavigator.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionssafari.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsopera.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsnavigator.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionssafari.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionschrome.exe]
    "Debugger" = "%ProgramFiles%Internet Exploreriexplore.exe"
The modified Registry entries will prevent specific files from being executed.

The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent Version
    Internet Settings%random%]
A string with variable content is used instead of %random%.

The trojan is sent data and commands from a remote computer or the Internet.

It can be controlled remotely. The HTTP protocol is used.

The trojan connects to the following addresses:
  • nuomosus.cn/m5/login.php
  • witosate.cn/m5/login.php
  • cyboheig.cn/mp/login.php
The trojan can download and execute a file from the Internet.