Home / malwarePDF  

TrojanDownloader:Win32/Belot


First posted on 28 November 2014.
Source: Microsoft

Aliases :

There are no other names known for TrojanDownloader:Win32/Belot.

Explanation :

Threat behavior This threat can create files on your PC, including:

  • %APPDATA%\chromenet.exe
  • %LOCALAPPDATA%\google\chrome\user data\abc\extensions\caipkhppmjbppefcdohjhbniihldppbf\ext.dll
  • %ProgramFiles%\internet explorer\iexplore1.exe
  • %USERPROFILE%\desktop\google chrome.exe
  • c:\users\administrator\appdata\local\google\chrome\user data\abc\extensions\caipkhppmjbppefcdohjhbniihldppbf\ext.dll


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\software\microsoft\windows\currentversion\run

Sets value: "chromenet"
With data: ""%APPDATA%\chromenet.exe" +e"



Payload
Modifies system settings
This threat can make changes to the way your PC behaves, including:
  • Stopping alerts when programs try to make changes to your PC.


Connects to a remote host

We have seen this threat connect to a remote host, including:
  • www.fbku.com using port 80
  • www.mjux.com using port 80
Malware can connect to a remote host to:
  • Check for an Internet connection.
  • Download and run files (including updates or other malware).
  • Report a new infection to its author.
  • Receive configuration or other data.
  • Receive instructions from a malicious hacker.
  • Search for your PC location.
  • Upload information taken from your PC.
  • Validate a digital certificate.


We have seen this threat access online content, including:

  • exelink.txt
  • background.js
This malware description was published using automated analysis of file SHA1 8ffc2a802ecd158b1b9dde229f4b1a7deebd68f1. Symptoms

The following can indicate that you have this threat on your PC:

  • You see these files:
    • %APPDATA%\chromenet.exe
    • %LOCALAPPDATA%\google\chrome\user data\abc\extensions\caipkhppmjbppefcdohjhbniihldppbf\ext.dll
    • %ProgramFiles%\internet explorer\iexplore1.exe
    • %USERPROFILE%\desktop\google chrome.exe
    • c:\users\administrator\appdata\local\google\chrome\user data\abc\extensions\caipkhppmjbppefcdohjhbniihldppbf\ext.dll
  • You see registry modifications such as:
    • In subkey: HKCU\software\microsoft\windows\currentversion\run
      Sets value: "chromenet"
      With data: ""%APPDATA%\chromenet.exe" +e"

    • In subkey: HKLM\software\microsoft\windows\currentversion\policies\system
      Sets value: "EnableLUA"
      With data: "0"

Last update 28 November 2014

 

TOP

Malware :