TSPY_BEBLOH.YYU

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

It does not have any backdoor routine.

It modifies the Internet Explorer Zone Settings.

It attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

It connects to certain websites to send and receive information. It gathers information and reports it to its servers.

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware adds the following mutexes to ensure that only one of its copies runs at any one time:

• Global\Uz{hex values}

It injects codes into the following process(es):

• explorer.exe

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\{random key}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{GUID}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\{random key}
(Default) = "{hex values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{GUID}
Flags = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{GUID}
Version = "*"

HKEY_CURRENT_USER\Software\{random key}
{random} = "{hex values}"

Propagation

This spyware does not have any propagation routine.

Backdoor Routine

This spyware does not have any backdoor routine.

Web Browser Home Page and Search Page Modification

This spyware modifies the Internet Explorer Zone Settings.

Information Theft

This spyware attempts to steal sensitive online banking information, such as user names and passwords. This routine risks the exposure of the user's account information, which may then lead to the unauthorized use of the stolen data.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

• {BLOCKED}oute.com/set/?tver={value}&vcmd={value}&cc={value}&hh={Hex Value}&ipcnf={Ip address}+&sckport={value}&pros={value}&via={value}&keret={value};&email={email address}

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

• www.google.com

It connects to the following website to send and receive information:

• http://{BLOCKED}oute.com
• https://{BLOCKED}oute.com

It does the following:

• Update itself
• It does not proceed to its malicious routine if it detects that it is running in a Virtual environment
• It deletes the cache files of Google Chrome and Mozilla Firefox
• It monitors the following files to steal sensitive information, such as user names and passwords:
  • iexplore.exe
  • explorer.exe
  • myie.exe
  • firefox.exe
  • ftpte.exe
  • coreftp.exe
  • filezilla.exe
  • TOTALCMD.EXE
  • cftp.exe
  • FTPVoyager.exe
  • SmartFTP.exe
  • WinSCP.exe
  • chrome.exe
  • opera.exe
  • chrome.dll
  • thebat.exe
  • msimn.exe
  • nsp4.dll
  • nss3.dll
  • Outlook.exe
  

It gathers the following information and reports it to its servers:

• Email addresses from Windows Address Book (WAB)
• User Credentials (FTP, Browser, Email)
• Machine Name
• OS Information (Version, Product ID, Name, Install Date)
• Explorer File Information
• Volume Serial Number
• Network Configuration (IP address, Socket, Ports)
• Keyboar Layout

NOTES:

It does not have rootkit capabilities.

It does not exploit any vulnerability.