Home / malware TrojanDownloader:Win32/Bedobot.B
First posted on 09 January 2012.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Bedobot.B is also known as Trojan-Downloader.Win32.Banload.bqyy (Kaspersky), Trojan.DownLoader5.14058 (Dr.Web), PWS-Banker.dldr!i (McAfee).
Explanation :
TrojanDownloader:Win32/Bedobot.B is a trojan that downloads and executes malware from a remote server.
Top
TrojanDownloader:Win32/Bedobot.B is a trojan that downloads and executes malware from a remote server.
Installation
TrojanDownloader:Win32/Bedobot.B may be installed by other malware, or downloaded from the Internet. When run, it activates its trojan download payload.
Payload
Downloads arbitrary files
TrojanDownloader:Win32/Bedobot.B attempts to download additional files from a remote server.
In the wild, we have observed the trojan attempting to connect to the below addresses to download and execute files:
- 173.192.96.70/?I=D
- 173.192.96.94/?I=D
- 65.182.108.115/?I=D
At the time of writing, these URLs were not available.
Sends captured data to remote hosts
The trojan also capable of gathering email addresses by traversing the <documents and settings> directory, and parse files with the following file extensions:
- .dbx
- .wab
- .mbx
- .mai
- .eml
- .tbb
- .mbox
In the wild, the trojan attempts to send the gathered information by connecting to the below HTTP addresses:
- 173.192.96.70/?I=1
- 173.192.96.94/?I=1
- 65.182.108.115/?I=1
Analysis by Jonathan San Jose
Last update 09 January 2012
