Home / malwarePDF  

MSIL/Bepush


First posted on 07 February 2014.
Source: Microsoft

Aliases :

There are no other names known for MSIL/Bepush.

Explanation :

Threat behavior

Installation

The trojan accesses your personal pages for the following sites:

  • Google+
  • Facebook
  • Twitter
  • VK (VKontakte)
  • YouTube


When it has access, it posts links on your pages that encourage your friends or followers to go to a video. Usually, the messages are posted in your own language.

When the person goes to the video, they are told they need to download an update for Flash Player. The download is really a copy of the trojan, and so their PC and personal pages are then infected. We detect the downloaded file as TrojanDropper:MSIL/Bepush.A.

Payload

Redirects your browser

The plugin changes your browser settings so that when you open a new tab in Chrome or Firefox, you will be redirected to the site www.fileshareservices.net/start.html:



Downloads malware

We have seen variants of the MSIL/Bepush family try to download the fake Flash Player update from the following locations, among others:

  • http://www.fileshareservices.org/extFiles/buflash.xpi
  • http://www.fileshareservices.org/extFiles/bune10.zip
  • http://www.fileshareservices.org/extFiles/list.txt
  • http://www.fileshareservices.org/extFiles/NewFile000305.exe
  • http://www.fileshareservices.org/extFiles/yok.txt
  • http://www.fileshareservices.org/extFiles/control305.txt


The domains that host the files are changed frequently. Most likely, this is an attempt to get around domain-blocking protections.

We've seen it download the file to the %ProgramData% folder with the following file names:

  • FLVUpdate.exe
  • SExtension\Flash_Plugin.exe
  • SExtension\Ionic.Zip.dll
  • SExtension\log_635271254169910234.txt
  • SExtension\SExtension\buflash.xpi
  • SExtension\SExtension\bune10.zip
  • SExtension\System.Data.SQLite.dll
  • SExtension\Updater.exe
  • YokExe.exe




Analysis by Jody Koo

Symptoms

The following could indicate that you have this threat on your PC:

  • There are messages and links on your social media pages that you don't recall posting
  • You have these files in the %ProgramData% folder:
    • FLVUpdate.exe
    • SExtension\Flash_Plugin.exe
    • SExtension\Ionic.Zip.dll
    • SExtension\log_635271254169910234.txt
    • SExtension\SExtension\buflash.xpi
    • SExtension\SExtension\bune10.zip
    • SExtension\System.Data.SQLite.dll
    • SExtension\Updater.exe
    • YokExe.exe

  • You see this page when you open a new tab in Chrome or Firefox:

Last update 07 February 2014

 

TOP

Malware :