TROJ_BEBLOH
Bebloh, Bublik
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
BEBLOH variants monitor URLs related to financial institutions indicated in its configuration file, as well as steal FTP credentials from the infected system.
If the download is successful, it may steal login credentials and money from bank accounts and manipulate the account page to display no changes in the account balance.
It also gathers system information, such as IP Address, OS version, hardware ID and email addresses stored in WAB.
TECHNICAL DETAILS
Installation
This Trojan drops the following copies of itself into the affected system:
- %System%\{random file name}.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Autostart Technique
This Trojan adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
userinit.exe
Debugger = "%System%\{random file name}.exe"
Other System Modifications
This Trojan adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\203E7401
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
userinit.exe
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\203E7401
Default = "{XOR encrypted configuration file URLs}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
5.0\203E7401
BC59 = "0"
It modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Internet Settings\
Zones\3
1609 = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths
Directory = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path1
CachePath = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path2
CachePath = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache2.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path3
CachePath = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache3.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
Cache\Paths\path4
CachePath = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
(Note: The default value data of the said registry entry is %Temporary Internet Files%\Content.IE5\Cache4.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\0001\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Hardware Profiles\Current\Software\
Microsoft\windows\CurrentVersion\
Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_CONFIG\Software\Microsoft\
windows\CurrentVersion\Internet Settings
ProxyEnable = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Cookies = "%System%\config\systemprofile\Cookies"
(Note: The default value data of the said registry entry is %System Root%\Documents and Settings\NetworkService\Cookies.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
Cache = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"
(Note: The default value data of the said registry entry is %System Root%\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files.)
HKEY_USERS\.DEFAULT\Software\
Microsoft\Windows\CurrentVersion\
Explorer\Shell Folders
History = "%System%\config\systemprofile\Local Settings\History"
(Note: The default value data of the said registry entry is %System Root%\Documents and Settings\NetworkService\Local Settings\History.)
Information Theft
This Trojan gathers the following data:
- IP address
- OS version
- Socks port
- UAC configuration
- Hardware ID
- Email addresses in WAB
Other Details
This Trojan connects to the following URL(s) to check for an Internet connection:
- www.google.com
It connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.125.134/smp/inx.php
- http://{BLOCKED}.{BLOCKED}.127.227
- http://{BLOCKED}i.net
- http://{BLOCKED}bet.{BLOCKED}c.com/f/t.php
- http://{BLOCKED}nvrein.{BLOCKED}s.net/f/t.php
- http://{BLOCKED}c.com
- http://{BLOCKED}x.com
- http://{BLOCKED}eun.{BLOCKED}ame.com
- http://{BLOCKED}m.net
- http://{BLOCKED}.net
- http://{BLOCKED}uhegy.{BLOCKED}3.com/f/t.php
- http://{BLOCKED}rew.net
- http://{BLOCKED}.net
- http://{BLOCKED}ubihegs.{BLOCKED}ame.com
- http://{BLOCKED}t.com
- http://{BLOCKED}r.net