by alexander.adamov on October 3rd, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 16896 bytes
Language: Visual Basic
MD5: ebe60fa9bf0dfcf7c00ddbaaf14da510
SHA1: 8ea7e3b9e7c8b7c6ad6d4b5afc94e71185a6e8b7


Trojan-Downloader.Win32.Beebone is a Trojan which downloads files via the Internet without user’s knowledge or consent. The Trojan can be spread using the following name:

Technical Details


Being executed, the Trojan decrypts separate parts of its malicious code and passes them control. The Trojan modifies the Internet Explorer Zone settings as follows:

  • All URLs are mapped to the Intranet Zone;
  • All web-nodes connected bypassing proxy server are mapped to the Intranet Zone;
  • All local web-nodes, which do not have points and do not refer to any Zone, are mapped to the Intranet Zone.

The Trojan adds the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

The malware deletes the following registry key parameters:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

The Trojan then checks the network connection to the web-resource located at:

Being successfully connected, the Trojan tries to download the file from:

The file can be saved with one of the following names:


Being saved, the file is launched by the Trojan for execution.

The Trojan reads the location of the IE cookie files from the registry to steal them.

Removal Recommendations

  1. Restore the Internet Explorer Zone settings.
  2. Delete the original malware file.
  3. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  4. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
No votes yet


Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now