Home / malware

PDF

Trojan:Win32/BeeVry

First posted on 15 May 2013.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/BeeVry.

Explanation :

Installation

Trojan:Win32/BeeVry may be dropped by other malware, or it may arrive as an email attachment with an alluring file name, such as either of the following:

• Music.exe , or
• Photos.exe

It creates a copy of itself as "smss.exe" under the <system folder>, then runs this file.

The trojan makes the following change to the registry to ensure that it runs each time you start Windows:

In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "smss"
With data: "c:\window\system32\smss.exe"



Payload

Modifies Hosts file

Trojan:Win32/BeeVry modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies your Hosts file in order to stop you from accessing websites associated with particular security-related applications (such as antivirus for example).

At the time of writing, we observed the following sites being redirected to IP €œ127.0.0.1€:

• 188.240.47.45
• 89.202.157.135
• 89.202.157.136
• 89.202.157.137
• 89.202.157.138
• 89.202.157.139
• 89.202.157.226
• 93.184.71.27
• akamai.grisoft.cz
• antivir.com
• arcabit.com
• arcabit.pl
• avast.com
• avast.gen.tr
• avg.com
• avgate.net
• avira.com
• avp.com
• backup.grisoft.cz
• bitdefender.com
• bitdefender.es
• ca.com
• cert.org
• clamav.net
• customer.symantec.com
• dispatch.mcafee.com
• dl1.antivir.net
• dl1.pro.antivir.de
• dl2.antivir-pe.com
• dl2.antivir.net
• dl2.pro.antivir.de
• dl3.antivir.net
• dl3.pro.antivir.de
• dlpro.avira.com
• download.mcafee.com
• drweb-online.com
• drweb.com
• es.mcafee.com
• es.trendmicro.com
• eset.co.uk
• eset.com
• eset.es
• eset.eu
• f-prot.com
• f-secure.com
• forum.avast.com
• free-av.com
• free.avg.com
• free.grisoft.com
• freeav.net
• freedrweb.com
• ftp.symantec.com
• grisoft.com
• guru.avg.com
• home.mcafee.com
• housecall.trendmicro.com
• jotti.org

• kaspersky-labs.com
• kaspersky.com
• kaspersky.com.mx
• la.mcafee.com
• la.trendmicro.com
• latam.kaspersky.com
• liveupdate.symantec.com
• liveupdate.com
• mast.mcafee.com
• mcafee.com
• microsoft.com
• my-etrust.com
• nai.com
• networkassociates.com
• nod32-a.com
• nod32-es.com
• nod32.com
• nod32.com.tr
• nod32.gen.tr
• novirusthanks.org
• pandasecurity.com
• pandasoftware.com
• pctools.com
• rads.mcafee.com
• sarc.com
• scanner.novirusthanks.org
• scanner.virustotal.com
• scanwith.com
• secure.nai.com
• security.symantec.com
• securityresponse.symantec.com
• service1.symantec.com
• shop.symantecstore.com
• sophos.com
• store.ca.com
• support.kaspersky.com
• symantec.com
• threatsense.net
• trendmicro.com
• trendsecure.com
• update.avg.com
• update.grisoft.cz
• update.microsoft.com
• update.symantec.com
• updates.symantec.com
• us.mcafee.com
• usa.kaspersky.com
• vil.nai.com
• virscan.org
• viruslist.com
• virusscan.jotti.org
• virustotal-uploader.en.softonic.com
• virustotal.com
• vscan.novirusthanks.org
• w32.clamav.net
• windowsupdate.microsoft.com
• zma.com.ar

Modifies system settings

Trojan:Win32/BeeVry disables the LUA (Least Privileged User Account), also known as the €œadministrator in Admin Approval Mode€ user type, and the associated notifications by making the following registry modification:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: €œ0€

In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UACDisableNotify"
With data: €œ0€

Modifies security settings

The trojan deletes a number of registry keys to prevent you from starting your computer in safe mode. It may do this in an effort to hide its presence, and make cleaning your computer more difficult.



Analysis by Swapnil Bhalode

Last update 15 May 2013

 

TOP