Home / malware TrojanDownloader:Win32/Beebone.GW
First posted on 14 February 2013.
Source: MicrosoftAliases :
There are no other names known for TrojanDownloader:Win32/Beebone.GW.
Explanation :
Installation
When launched, TrojanDownloader:Beebone.GW will "run in place" - this means that the trojan runs from whichever folder it was downloaded into when it arrived on your computer.
Payload
Downloads and runs other malware
TrojanDownloader:Win32/Beebone.GW attempts to contact and download arbitrary files from a remote server. In the wild, we have observed it attempting to connect to the following servers:
- domai.noip1.info:8080/0/?a
- domai.noip1.info:8080/0/?f
The downloaded files may be detected as variants of the following malware families:
- Trojan:Win32/Acbot (such as Trojan:Win32/Acbot.A) - a family of trojans that spread through social media
- Win32/Vobfus - a family of worms that spread via network and removable drives and that download other malware
- Win32/Sirefef - a complex, multi-component family of malware
Commonly, malware may contact a remote host for the following purposes:
- To confirm Internet connectivity
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
Modifies computer settings
TrojanDownloader:Win32/Beebone.GW modifies the following registry entry to allow certain sites to be treated with a decreased level of security:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"
Additional information
TrojanDownloader:Win32/Beebone.GW checks for the presence of the following modules:
- dbghelp.dll
- sbiedll.dll
The trojan checks for the following strings in the registry entry "HKLM\System\ControlSet001\Services\Disk\Enum\0":
- VIRTUAL
- VMWARE
- VBOX
- QEMU
The presence of these modules or strings may indicate that your computer is running in a sandbox environment, in which case the trojan will not run.
It also checks for the module "snxhk.dll", possibly to determine if AVAST antivirus is installed on your computer.
Related encyclopedia entries
Trojan:Win32/Acbot.A
Win32/Vobfus
Win32/Sirefef
Analysis by Rex Plantado
Last update 14 February 2013