TROJ_BAYROB.SM1
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %System Root%\{random folder name}\{random file name 1}.exe
- %System Root%\{random folder name}\{random file name 2}.exe
- %System Root%\{random folder name}\{random file name 3}.exe
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.)
It creates the following folders:
- %System Root%\{random folder name}
- %Windows%\{random folder name}
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{value name} = "%System Root%\{random folder name}\{random file name 1}.exe"
Dropping Routine
This Trojan drops the following files:
- %System Root%\{random folder name}\{random file name 4}
- %System Root%\{random folder name}\{random file name 5}
- %System Root%\{random folder name}\{random file name 6}
- %Windows%\{random folder name}\{random file name 2}
(Note: %System Root% is the Windows root folder, where it usually is C:\ on all Windows operating system versions.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
Other Details
This Trojan connects to the following possibly malicious URL:
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}character.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}ladder.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}ngbicycle.net/index.php
- http://{BLOCKED}ngbridge.net/index.php
- http://{BLOCKED}ngexcept.net/index.php
- http://{BLOCKED}ngwhose.net/index.php
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}character.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}ladder.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}character.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}ladder.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}gbicycle.net/index.php
- http://{BLOCKED}gbridge.net/index.php
- http://{BLOCKED}gexcept.net/index.php
- http://{BLOCKED}gwhose.net/index.php
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}character.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}ladder.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}icycle.net/index.php
- http://{BLOCKED}ridge.net/index.php
- http://{BLOCKED}xcept.net/index.php
- http://{BLOCKED}hose.net/index.php
- http://{BLOCKED}ntbicycle.net/index.php
- http://{BLOCKED}ntbridge.net/index.php
- http://{BLOCKED}ntexcept.net/index.php
- http://{BLOCKED}ntwagon.net/index.php
- http://{BLOCKED}ntwhose.net/index.php
- http://{BLOCKED}ebicycle.net/index.php
- http://{BLOCKED}ebridge.net/index.php
- http://{BLOCKED}eexcept.net/index.php
- http://{BLOCKED}ewagon.net/index.php
- http://{BLOCKED}ewagon.net/index.php
- http://{BLOCKED}ewhose.net/index.php
- http://{BLOCKED}ebicycle.net/index.php
- http://{BLOCKED}eboard.net/index.php
- http://{BLOCKED}ebridge.net/index.php
- http://{BLOCKED}echaracter.net/index.php
- http://{BLOCKED}eenter.net/index.php
- http://{BLOCKED}eexcept.net/index.php
- http://{BLOCKED}eladder.net/index.php
- http://{BLOCKED}ewhose.net/index.php
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}ladder.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}bicycle.net/index.php
- http://{BLOCKED}board.net/index.php
- http://{BLOCKED}bridge.net/index.php
- http://{BLOCKED}character.net/index.php
- http://{BLOCKED}enter.net/index.php
- http://{BLOCKED}except.net/index.php
- http://{BLOCKED}ladder.net/index.php
- http://{BLOCKED}whose.net/index.php
- http://{BLOCKED}icycle.net/index.php
- http://{BLOCKED}oard.net/index.php
- http://{BLOCKED}ridge.net/index.php
- http://{BLOCKED}haracter.net/index.php
- http://{BLOCKED}nter.net/index.php
- http://{BLOCKED}xcept.net/index.php
- http://{BLOCKED}adder.net/index.php
- http://{BLOCKED}hose.net/index.php
- http://{BLOCKED}icycle.net/index.php
- http://{BLOCKED}ridge.net/index.php
- http://{BLOCKED}xcept.net/index.php
- http://{BLOCKED}hose.net/index.php
- http://{BLOCKED}thbicycle.net/index.php
- http://{BLOCKED}thboard.net/index.php
- http://{BLOCKED}thbridge.net/index.php
- http://{BLOCKED}thcharacter.net/index.php
- http://{BLOCKED}thenter.net/index.php
- http://{BLOCKED}thexcept.net/index.php
- http://{BLOCKED}thladder.net/index.php
- http://{BLOCKED}thwhose.net/index.php
NOTES:
The variable {value name} may be any of the following:
- Cache Level Desktop Encrypting SPP
- Debugger Connectivity Multimedia RPC Coordinator
- Desktop AutoConnect Installer Link
- Drive Auto Visual TPM Process
- Networking Time Provider
- Port Color Workstation Keying
- Problem Health UserMode Key Redirector
- Provider Mapper Management Application
- Receiver Base Cryptographic ActiveX Task
- Reporting Modules Driver Protocol
- SNMP Control Device Intelligent DHCP
- Solutions Firewall PC Adapter Scheduler
- Tablet Server Logs Link Procedure