Installation
Trojan:Win32/BeeVry may be dropped by other malware, or it may arrive as an email attachment with an alluring file name, such as either of the following:
It creates a copy of itself as "smss.exe" under the <system folder>, then runs this file.
The trojan makes the following change to the registry to ensure that it runs each time you start Windows:
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "smss"
With data: "c:\window\system32\smss.exe"
Payload
Modifies Hosts file
Trojan:Win32/BeeVry modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies your Hosts file in order to stop you from accessing websites associated with particular security-related applications (such as antivirus for example).
At the time of writing, we observed the following sites being redirected to IP “127.0.0.1”:
Modifies system settings
Trojan:Win32/BeeVry disables the LUA (Least Privileged User Account), also known as the “administrator in Admin Approval Mode” user type, and the associated notifications by making the following registry modification:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "EnableLUA"
With data: “0”
In subkey: HKLM\SOFTWARE\Microsoft\Security Center
Sets value: "UACDisableNotify"
With data: “0”
Modifies security settings
The trojan deletes a number of registry keys to prevent you from starting your computer in safe mode. It may do this in an effort to hide its presence, and make cleaning your computer more difficult.
Analysis by Swapnil Bhalode