1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Bayrob Request

System Infected: Trojan.Bayrob Request

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects Trojan.Bayrob communicating and requesting information from its controlling server.

Additional Information

Trojan.Bayrob is a Trojan horse that establishes a proxy server and steals sensitive information from the compromised computer.

When the Trojan horse is executed it creates the following files:

* %System%\windowsupdate.exe
* %System%\4033ccf\cfg
* %System%\8089sys\tst
* %System%\8089sys\ban
* %UserProfile%\Administrator\Local Settings\Temp\KVET[RANDOM CHARACTERS]A.exe
* %UserProfile%\Administrator\Local Settings\Temp\KVET[RANDOM CHARACTERS]STRP.exe
* %System%\bmscyxon.exe
* %System\cgqyrsyh.exe


It then creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "C:\WINDOWS\system32\WindowsUpdate.exe"

The Trojan registers the file %System%\windowsupdate.exe as a service with the following characteristics:
Service Name: Windows Update
Display Name: Windows Update
Startup Type: Automatic
Message: Maintains your Windows up to date. If this service is stopped, your computer may become vulnerable to various security threats such as viruses.

It then creates entries under the following registry subkey for the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Update

The Trojan modifies the following registry entries to lower internet security settings:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = "01000000"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "01000000"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = "01000000"

The Trojan also modifies entries in the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

The Trojan adds the following line to the %UserProfile%\Application Data\Mozilla\Firefox\Profiles\[CURRENT PROFILE]\user.js file:
user_pref("network.proxy.type", 0);

It opens a back door on TCP port 80 and acts as a proxy server. It redirects the internet connection through this proxy server.

The Trojan waits for a user to log onto Ebay and then silently alters the data that is shown from the following sites:

* my.ebay.com
* cgi.ebay.com
* offer.ebay.com
* feedback.ebay.com
* motors.search.ebay.com
* search.ebay.com
* us.ebayobjects.com
* pages.ebay.com
* pages.motors.ebay.com
* www.carfax.com
* wwwapps.ups.com
* motors.listings.ebay.com
* cgi1.ebay.com
* escrow.com
* my.escrow.com
* ecart.escrow.com
* www.escrow.com



It also connects to the following URLs:

* detailsnum.com
* wai-k-mart.com
* onemoreshoot.com
* wal-stop-mart.com
* jdo24nrojseklehfn.com
* superdigitalprices.com
* wmwbc.com
* vam-ars.com
* cameradealsusa.com
* michelleorea.com

Affected

  • Windows 98
  • Windows 95
  • Windows XP
  • Windows Me
  • Windows NT
  • Windows 2000

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan.
4. Delete any values added to the registry.
5. Find and stop the service.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube