Troj/BeastDo-V is a backdoor Trojan for the Windows platform.
When first run, Troj/BeastDo-V copies itself to the following locations:
<Windows folder>\msagent\msqyux.com
<Windows system folder>\msbfqp.com
<Windows system folder>\mshost.exe
In order to run when a user logs on, Troj/BeastDo-V creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
COM Service
"<Windows folder>\msagent\msqyux.com"
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
COM Service
"<Windows folder>\msagent\msqyux.com"
HKLM\Software\Microsoft\Active Setup\Installed Components\
{42CE4021-DE03-E3CC-EA32-40BB12E6015D}\
StubPath
"<Windows system folder>\msbfqp.com"
The Trojan also deletes several registry entries under the following:
HKLM\Software\Microsoft\EventSystem\
{26c409cc-ae86-11d1-b616-00805fc79216}\Subscriptions\
The following registry entries are modified:
HKLM\System\CurrentControlSet\Services\SharedAccess\
Start
"dword:00000004"
HKCU\Software\Microsoft\RAS Autodial\Control\
LoginSessionDisable
"dword:00000001"
Troj/BeastDo-V opens a backdoor on the infected computer and sends an email containing the connection details to a remote user. The Trojan can perform the following functions:
log keypresses
capture screen/webcam images
send email (with or without attachments)
disable System Restore
gather system information (process and file listings, etc.)
terminate system services
download/execute arbitrary files
execute arbitrary commands (remote shell)