Home / malwarePDF  

TrojanDropper:Win32/Hesperbot.B


First posted on 28 January 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDropper:Win32/Hesperbot.B.

Explanation :

Threat behavior

Installation

TrojanDropper:Win32/Hesperbot.B usually arrives as a .PDF attachment to a spam email.

It installs the following files:

  • \\.bkp
  • \\.dat
  • \sun\.dat
  • \sun\.bkp


The installed files contain the following encrypted information about your PC:

  • System install date
  • Machine GUID
  • Digital product ID
  • Computer name
  • Processor information


TrojanDropper:Win32/Hesperbot.B also creates the following mutex. This could be an infection marker to prevent more than one copy of the threat running on your PC:

  • Global\.mutex
  • Global\lock_
  • Global\inst_


It modifies the following registry entry so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value:
With data: %windir%\\.exe

The malware has a core component that is injected into the newly-created process attrib.exe and then explorer.exe. This component is responsible for the malware payload.

Payload

Logs your keystrokes

TrojanDropper:Win32/Hesperbot.B can log your key strokes. It creates the file keylog.txt to store all key logged information.

It then compresses this file into keylog.7z to upload it to a hacker.

Connects to a command and control server

TrojanDropper:Win32/Hesperbot.B connects to the following legitimate websites to check for a valid internet connection:

  • yahoo.com
  • facebook.com
  • google.com
  • wikipedia.org
  • microsoft.com


If an internet connection is found it then connects to server:

  • dnshosting1.ws


It can also connect to random domains produced by a domain generation algorithm.



Analysis by Patrick Estavillo

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    \\.bkp
    \\.dat
    \sun\.dat
    \sun\.bkp
  • You see this entry in your registry:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value:
    With data: %windir%\\.exe

Last update 28 January 2014

 

TOP

Malware :

Family: