Home / malwarePDF  

TrojanDownloader:Win32/Beebone.GW


First posted on 14 February 2013.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Beebone.GW.

Explanation :



Installation

When launched, TrojanDownloader:Beebone.GW will "run in place" - this means that the trojan runs from whichever folder it was downloaded into when it arrived on your computer.

Payload

Downloads and runs other malware

TrojanDownloader:Win32/Beebone.GW attempts to contact and download arbitrary files from a remote server. In the wild, we have observed it attempting to connect to the following servers:

  • domai.noip1.info:8080/0/?a
  • domai.noip1.info:8080/0/?f


The downloaded files may be detected as variants of the following malware families:

  • Trojan:Win32/Acbot (such as Trojan:Win32/Acbot.A) - a family of trojans that spread through social media
  • Win32/Vobfus - a family of worms that spread via network and removable drives and that download other malware
  • Win32/Sirefef - a complex, multi-component family of malware


Commonly, malware may contact a remote host for the following purposes:

  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer


Modifies computer settings

TrojanDownloader:Win32/Beebone.GW modifies the following registry entry to allow certain sites to be treated with a decreased level of security:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Sets value: "ProxyBypass"
With data: "1"

Additional information

TrojanDownloader:Win32/Beebone.GW checks for the presence of the following modules:

  • dbghelp.dll
  • sbiedll.dll


The trojan checks for the following strings in the registry entry "HKLM\System\ControlSet001\Services\Disk\Enum\0":

  • VIRTUAL
  • VMWARE
  • VBOX
  • QEMU


The presence of these modules or strings may indicate that your computer is running in a sandbox environment, in which case the trojan will not run.

It also checks for the module "snxhk.dll", possibly to determine if AVAST antivirus is installed on your computer.

Related encyclopedia entries

Trojan:Win32/Acbot.A

Win32/Vobfus

Win32/Sirefef





Analysis by Rex Plantado

Last update 14 February 2013

 

TOP

Malware :

Family: