Troj/Bayrob-B

Category: Viruses and Spyware Protection available since:16 Jan 2008 22:35:38 (GMT)
Type: Trojan Last Updated:15 Jun 2013 02:09:35 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Troj/Bayrob-B is an information-stealing Trojan for the Windows platform.

Troj/Bayrob-B includes functionality to act as a proxy as well as change the user's proxy settings.

When first run Troj/Bayrob-A copies itself to <System>\fdihkchp.exe.

Troj/Bayrob-B attempts to drop a clean data file called "tst" to a number of folders, including <System>\44682352, and drops files to the Temp folder called CNQJ<random characters>.EXE. These are all detected as Troj/Bayrob-A.

Troj/Bayrob-B adds itself to run on startup in three different ways:

- creates one of the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tikbnqen
<System>\fdihkchp.exe

- adds itself as a service:

HKLM\SYSTEM\CurrentControlSet\Services\Bbonxhdz

- adds itself to the current user's Start Menu:

<Start Menu>\Programs\Startup\fdihkchp.exe.

Troj/Bayrob-B may modify the contents of the following files:

<System32>\drivers\etc\hosts
<AppData>\Mozilla\Firefox\Profiles\<username>\user.js

Troj/Bayrob-B attempts to redirect from sites including ebay.com in order to steal information from the user.

Troj/Bayrob-B attempts to disguise itself by dropping a copy of "Kodak Viewer Express" and loading an image, for example that of a motorcyle.

Sophos's anti-virus products include Behavioral Genotype ® Protection, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against components of Troj/Bayrob-B (detected as Sus/UnkPacker and Sus/Dropper-A) since version 4.19.

download Try Sophos products for free
Download now