03/01/2007

Trojan.Bayrob

Type:  Trojan
Discovered:  01.03.2007
Updated:  01.03.2007
Affected systems:  Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
AV Vendor:  Symantec

Description:

When the Trojan horse is executed it creates the following files:

• %System%\windowsupdate.exe
• %System%\4033ccf\cfg
• %System%\8089sys\tst
• %System%\8089sys\ban
  
• %UserProfile%\Administrator\Local Settings\Temp\KVET[RANDOM CHARACTERS]A.exe
• %UserProfile%\Administrator\Local Settings\Temp\KVET[RANDOM CHARACTERS]STRP.exe
• %System%\bmscyxon.exe
• %System\cgqyrsyh.exe
  

It then creates the following registry entry, so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update" = "C:\WINDOWS\system32\WindowsUpdate.exe"

The Trojan registers the file %System%\windowsupdate.exe as a service with the following characteristics:
Service Name: Windows Update
Display Name: Windows Update
Startup Type: Automatic
Message: Maintains your Windows up to date. If this service is stopped, your computer may become vulnerable to various security threats such as viruses.

It then creates entries under the following registry subkey for the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Update

The Trojan modifies the following registry entries to lower internet security settings:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"IntranetName" = "01000000"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "01000000"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"ProxyBypass" = "01000000"

The Trojan also modifies entries in the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections

The Trojan adds the following line to the %UserProfile%\Application Data\Mozilla\Firefox\Profiles\[CURRENT PROFILE]\user.js file:
user_pref("network.proxy.type", 0);

It opens a back door on TCP port 80 and acts as a proxy server. It redirects the internet connection through this proxy server.

The Trojan waits for a user to log onto Ebay and then silently alters the data that is shown from the following sites:

• my.ebay.com
• cgi.ebay.com
• offer.ebay.com
• feedback.ebay.com
• motors.search.ebay.com
• search.ebay.com
• us.ebayobjects.com
• pages.ebay.com
• pages.motors.ebay.com
• www.carfax.com
• wwwapps.ups.com
• motors.listings.ebay.com
• cgi1.ebay.com
• escrow.com
• my.escrow.com
• ecart.escrow.com
• www.escrow.com

It also connects to the following URLs:

• detailsnum.com
• wai-k-mart.com
• onemoreshoot.com
• wal-stop-mart.com
• jdo24nrojseklehfn.com
• superdigitalprices.com
• wmwbc.com
• vam-ars.com
• cameradealsusa.com
• michelleorea.com