Trojan-Downloader.Win32.Beebone.br

by alexander.adamov on October 3rd, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 16896 bytes
Language: Visual Basic
MD5: ebe60fa9bf0dfcf7c00ddbaaf14da510
SHA1: 8ea7e3b9e7c8b7c6ad6d4b5afc94e71185a6e8b7

Summary

Trojan-Downloader.Win32.Beebone is a Trojan which downloads files via the Internet without user’s knowledge or consent. The Trojan can be spread using the following name:

Technical Details

Payload

Being executed, the Trojan decrypts separate parts of its malicious code and passes them control. The Trojan modifies the Internet Explorer Zone settings as follows:

  • All URLs are mapped to the Intranet Zone;
  • All web-nodes connected bypassing proxy server are mapped to the Intranet Zone;
  • All local web-nodes, which do not have points and do not refer to any Zone, are mapped to the Intranet Zone.

The Trojan adds the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

The malware deletes the following registry key parameters:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The Trojan then checks the network connection to the web-resource located at:

http://updatemyddns.ddns01.com:60777

Being successfully connected, the Trojan tries to download the file from:

http://updatemyddns.ddns01.com:60777/b/

The file can be saved with one of the following names:

start1.exe
0.exe
vhe.exe

Being saved, the file is launched by the Trojan for execution.

The Trojan reads the location of the IE cookie files from the registry to steal them.

Removal Recommendations

  1. Restore the Internet Explorer Zone settings.
  2. Delete the original malware file.
  3. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  4. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).