Home / malware TrojanSpy:Win32/Babonock.A
First posted on 19 February 2013.
Source: MicrosoftAliases :
TrojanSpy:Win32/Babonock.A is also known as Worm/Win32.AutoIt (AhnLab), Trojan-Spy.Win32.AutoIt.p (Kaspersky), Worm/Autoit.ANVE (AVG), TR/Spy.Babonock.A (Avira), Win32/Autoit.HG worm (ESET), Trojan-Spy.Win32.Babonock (Ikarus), Mal/Babonock-A (Sophos), W32.Harakit (Symantec), TROJ_SPNR.07JT11 (Trend Micro).
Explanation :
Installation
TrojanSpy:Win32/Babonock.A drops itself as the following file:
%AppData%\Microsoft\Office\rundll32.exe
It creates the following registry entry so that it runs every time Windows starts:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Windows"
With data: "%AppData%\Microsoft\Office\rundll32.exe"
It also creates the following registry entry to keep track of what version of itself is installed in your computer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Msversion"
With data: "<malware version number>"
Payload
Hides files and folders
TrojanSpy:Win32/Babonock.A makes the following registry changes to prevent you from choosing to display hidden files and folders using Windows Explorer:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "ShowSuperHidden"
With data: "0"
It also hides known file extensions when files are viewed in Windows Explorer by setting the following registry entry:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "HideFileExt"
With data: "1"
Connects to a remote server
TrojanSpy:Win32/Babonock.A connects to an FTP server such as:
- bytehost10<dot>com
- bytehost6<dot>com
- drivehq<dot>com
It may do this for the following purposes:
- Download and update itself
- Download other files
- Upload files including logged keystrokes and open window count
- Create folders
Analysis by Elda Dimakiling
Last update 19 February 2013