Troj/Bayrob-B is an information-stealing Trojan for the Windows platform.
Troj/Bayrob-B includes functionality to act as a proxy as well as change the user's proxy settings.
When first run Troj/Bayrob-A copies itself to <System>\fdihkchp.exe.
Troj/Bayrob-B attempts to drop a clean data file called "tst" to a number of folders, including <System>\44682352, and drops files to the Temp folder called CNQJ<random characters>.EXE. These are all detected as Troj/Bayrob-A.
Troj/Bayrob-B adds itself to run on startup in three different ways:
- creates one of the following registry entries:
- adds itself as a service:
- adds itself to the current user's Start Menu:
Troj/Bayrob-B may modify the contents of the following files:
Troj/Bayrob-B attempts to redirect from sites including ebay.com in order to steal information from the user.
Troj/Bayrob-B attempts to disguise itself by dropping a copy of "Kodak Viewer Express" and loading an image, for example that of a motorcyle.
Sophos's anti-virus products include Behavioral Genotype ® Protection
, which can proactively guard against new threats without requiring an update. Sophos customers have been protected against components of Troj/Bayrob-B (detected as Sus/UnkPacker and Sus/Dropper-A) since version 4.19.