Home / malware W32.Babonock
First posted on 08 September 2014.
Source: SymantecAliases :
There are no other names known for W32.Babonock.
Explanation :
When the worm is executed,it creates the following file:
%UserProfile%\Application Data\Microsoft\Office\rundll32.exe
The worm then creates the following registry entry so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Microsoft Windows" = "%UserProfile%\Application Data\Microsoft\Office\rundll32.exe"
It also creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"ShowSuperHidden" = "0"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"Msversion" = "3fa"
The worm then logs keystrokes on the compromised computer.
Next, the worm may download updates and upload stolen information to one of the following remote locations:
ftp.byethost6.comftp.byethost10.com
The worm then copies itself to removable drives.Last update 08 September 2014
