Home / malware Worm:Win32/Babonock.A
First posted on 15 February 2019.
Source: MicrosoftAliases :
Worm:Win32/Babonock.A is also known as Worm/Win32.AutoIt, Trojan-Spy.Win32.AutoIt.p, Worm/Autoit.ANVE, TR/Spy.Babonock.A, Win32/Autoit.HG worm, Trojan-Spy.Win32.Babonock, Mal/Babonock-A, W32.Harakit, TROJ_SPNR.07JT11.
Explanation :
Installation
TrojanSpy:Win32/Babonock.A drops itself as the following file:
%AppData%MicrosoftOffice
undll32.exe
It creates the following registry entry so that it runs every time Windows starts:
In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: "Microsoft Windows"
With data: "%AppData%MicrosoftOffice
undll32.exe"
It also creates the following registry entry to keep track of what version of itself is installed in your computer:
In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "Msversion"
With data: ""
Payload
Hides files and folders
TrojanSpy:Win32/Babonock.A makes the following registry changes to prevent you from choosing to display hidden files and folders using Windows Explorer:
In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "ShowSuperHidden"
With data: "0"
It also hides known file extensions when files are viewed in Windows Explorer by setting the following registry entry:
In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvanced
Sets value: "HideFileExt"
With data: "1"
Connects to a remote server
TrojanSpy:Win32/Babonock.A connects to an FTP server such as:
bytehost10com bytehost6 com drivehq com
It may do this for the following purposes:
Download and update itself Download other files Upload files including logged keystrokes and open window count Create folders
Analysis by Elda DimakilingLast update 15 February 2019
