TrojanSpy:Win32/Bebloh.A is a trojan that monitors and captures logon credentials to certain online banking and financial institutions. The trojan also changes Windows settings, forces use of Internet Explorer as a Web browser and may be used by an attacker to withdraw funds from online banking accounts.
Installation
TrojanSpy:Win32/Bebloh.A may be installed by other malware or when visiting malicious websites. When run, the trojan drops a copy of itself as a randomly named file into the Windows system folder. The registry is modified to run the trojan copy when the Windows application "userinit.exe" runs, which executes at Windows start.
Adds value: "Debugger"
With data: "<file name of Win32/Bebloh.A>"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
To hide its process in memory, the trojan will inject code into the running process "CSRSS.exe". The trojan adds 256 bytes of binary data into a created registry subkey:
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\<random characters>
Payload
Disables use of a proxy
The trojan modifies the registry to disable use of an Internet proxy.
Modifies value: "ProxyEnable"
With data: "0"
In subkey: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Forces use of Internet Explorer
TrojanSpy:Win32/Bebloh.A modifies the registry to execute the Web browser Internet Explorer when the following browsers are executed:
Google Chrome
Netscape Navigator
Opera
Safari
The trojan creates the following subkeys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navigator.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
Next the trojan creates the following values and data under the created subkeys:
Adds value: "Debugger"
With data: "%ProgramFiles%\Internet Explorer\iexplore.exe"
Communicates with remote Web servers
TrojanSpy:Win32/Bebloh.A connects to one of the following remote websites to receive further instructions from an attacker:
keule557.cn
bayer872.cn
atze878.cn
The trojan may download additional malware from the above websites, including updates of Win32/Bebloh. The trojan may receive commands from an attacker via HTTP which can include transfer of funds from online banking sites to specified accounts.
Monitors access of certain online banking sites
TrojanSpy:Win32/Bebloh.A injects its code into the running process "SVCHOST.exe" to monitor the following keywords in the Web browser window:
- banking.postbank.de
- meine.deutsche-bank.de
- banking
- internetbanking.gad.de
- portal
- my.hypovereinsbank.de
The trojan may capture entered logon credentials for distribution to an attacker.
Analysis by Jaime Wong
