1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.BetaBot Activity

System Infected: Trojan.BetaBot Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Trojan.BetaBot activity that opens a backdoor on the compromised system.

Additional Information

When the Trojan is executed, it copies itself to the following location:
%ProgramFiles%\Common Files\[TROJAN FOLDER NAME].{2227A280-3AEA-1069-A2DE-08002B30309D}\[NINE RANDOM LOWER CASE CHARACTERS].exe

Where [TROJAN FOLDER NAME] is one of the following:

Flash Update Client
Windows Licence Check


Next the Trojan creates the following registry entries so that it executes whenever Windows starts:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[TROJAN FOLDER NAME]" = "[PATH TO TROJAN EXECUTABLE]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[TROJAN FOLDER NAME]" = "[PATH TO TROJAN EXECUTABLE]"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Run\"[TROJAN FOLDER NAME]" = "[PATH TO TROJAN EXECUTABLE]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"[TROJAN FOLDER NAME]" = "[PATH TO TROJAN EXECUTABLE]"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"[TROJAN FOLDER NAME]" = "[PATH TO TROJAN EXECUTABLE]"


It may also create some of the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[TROJAN FILE NAME]\"Time" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[TROJAN FILE NAME]\"DisableExceptionChainValidation" = ""
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\TaskManager\"Task Service ID" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows NT\CurrentVersion\TaskManager\"Task Service ID" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TaskManager\"Task Service ID" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_CURRENT_USER\Software\Win7zip\"Uuid" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_ALL_USERS\.default\Software\Win7zip\"Uuid" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_LOCAL_MACHINE\SOFTWARE\Win7zip\"Uuid" = "[RANDOM HEXADECIMAL CHARACTERS]"
HKEY_ALL_USERS\.default\Software\Classes\CLSID\[RANDOM GUID]\[EIGHT HEXADECIMAL CHARACTERS]\CW1\"[THREE OR FOUR DIGITS]" = "[HEXADECIMAL CHARACTERS]"


The Trojan then modifies the following registry entries to lower Internet security settings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2500" = "3"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"2500" = "3"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = "3"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"2500" = "3"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\"2500" = "3"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\"2500" = "3"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"2500" = "3"
HKEY_ALL_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\"2500" = "3"


It also modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\SSDPSRV\"Start" = "2"
HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy\"EnableJavaUpdate" = "0"


Next, the Trojan creates a hidden instance of the iexplore.exe process and injects code into it.

It then connects to one of the following locations and opens a back door allowing a remote attacker to gain access to the compromised computer:

[http://]webhostingprotection.info/icool/orde[REMOVED]
[http://]assler.hfgfr56745fg.com/cakes/sale[REMOVED]


The Trojan then ends all programs with open windows, including explorer.exe.

Affected

  • All windows platforms
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube