Trojan.Bebloh
Trojan.Bebloh is a computer infection that will modify Internet explorer settings and reduce its security features. Trojan.Bebloh also modifies registry entries of the infected computer that disables proxies used by Internet browser. It may also monitor and steal users credential to certain online banking and financial web sites.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
When Trojan.Bebloh is executed, it will drop the following file on the computer.
%Windir%/System32/[RANDOM NAME].exe
The Trojan will conceal its presence once inside the computer. It will inject malicious code on legitimate process “CSRSS.exe” that will increase file size to additional 256 bytes of data.
Then, the Trojan will make changes to system registry that will relocate the data for Internet browser’s cache file, cookies and history. It also targets the proxy settings. Trojan.Bebloh will alter the proxy server by modifying the following registry entry:
HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\”ProxyEnable” = “0″
Other changes on the registry may lead to the force use of Internet Explorer. It will open Internet Explorer web browser when users try to execute any of these applications:
- Google Chrome
- Netscape Navigator
- Opera
- Safari
Finally, the Trojan will connect to a remote web site to receive additional command from an attacker and download additional malware in order to perform additional tasks as follows:
- Download and execute more harmful files from specified location.
- Block Internet access and redirect search result to unknown web sites.
- Redirect predefined URL to other web sites.
- Embed snippets to online banking web sites to steal sensitive information.
- Download configuration files and update itself.
- Receive commands from a remote attacker using HTTP request.
Distribution
Trojan.Bebloh may arrive on the computer as an attached file to spam email messages. Other malware found related to this Trojan also drops and install the harmful code by exploiting vulnerabilities in the system. Additionally, malicious web sites that employs drop-by-download method is used to spread Trojan.Bebloh.
HKEY_USERS\.default\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"Associated Files and Folders:
%Windir%/System32/[RANDOM NAME].exe.dll
How to Remove Trojan.Bebloh
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Open your antivirus program and update the virus definitions.
3. Restart Windows in SafeMode [how to]
4. Run a full system scan and clean/delete all infected file(s)
5. Delete/Modify any values added to the registry if there are any. Please refer to 'Added Registry Entries.'[how to edit registry]
Scan with Norton Power Eraser:
Free tool from Symantec called Norton Power Eraser provides deep scanning technology to detect and remote threats like Trojan.Bebloh. NPE targets and eliminate threats that regular virus scan fails to identify. Download NPE here.
Important! Because of Norton Power Eraser’s aggressive method, it can select even legitimate files as suspicious. Please use this tool very carefully.