Home / malware Worm:Win32/Babonock.A
First posted on 17 October 2014.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Babonock.A.
Explanation :
Threat behavior
Installation
TrojanSpy:Win32/Babonock.A drops itself as the following file:
%AppData%\Microsoft\Office\rundll32.exe
It creates the following registry entry so that it runs every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows"
With data: "%AppData%\Microsoft\Office\rundll32.exe"
It also creates the following registry entry to keep track of what version of itself is installed in your computer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Msversion"
With data: ""
Payload
Hides files and folders
TrojanSpy:Win32/Babonock.A makes the following registry changes to prevent you from choosing to display hidden files and folders using Windows Explorer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
It also hides known file extensions when files are viewed in Windows Explorer by setting the following registry entry:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
Connects to a remote server
TrojanSpy:Win32/Babonock.A connects to an FTP server such as:
- bytehost10
com - bytehost6
com - drivehq
com
It may do this for the following purposes:
- Download and update itself
- Download other files
- Upload files including logged keystrokes and open window count
- Create folders
Analysis by Elda Dimakiling
Symptoms
System changes
The following system changes may indicate the presence of this malware:
- The presence of the following file:
%AppData%\Microsoft\Office\rundll32.exe- The presence of the following registry modifications:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows"
With data: "%AppData%\Microsoft\Office\rundll32.exe"
Last update 17 October 2014
