Type
: Trojan
Category
: Win32
Also known as:
Win32/Beovens, Win32/Beovens, Win32/Beovens!generic, Win32/Beovens!generic, Win32.Beovens.A, Win32.Beovens.B, Win32.Beovens.C, Win32/Beovens.C!Dropper, Win32.Beovens.D, Win32.Beovens.E, Win32/Beovens.E!Trojan, Win32.Beovens.F, Win32/Beovens.F!Trojan, Win32.Beovens.G, Win32/Beovens.G!Trojan, Win32.Beovens.H, Win32.Beovens.I, Win32/Beovens.I!Trojan, Win32.Beovens.J, Win32/Beovens.J!Trojan, Win32.Beovens.K, Win32/Beovens.K!Trojan, Win32.Beovens.L, Win32/Beovens.L!Trojan, Win32.Beovens.M, Win32/Beovens.M1!Trojan, Win32.Beovens.N, W32/Downloader.AIN (F-Secure), W32/Downloader.AQB (F-Secure), W32/Downloader.CTJ (F-Secure), W32/Downloader.CTY (F-Secure), Win32/SillyDL.Zxs!Trojan, Trojan-Downloader.Win32.Agent.lx (Kaspersky), Trojan-Dropper.Win32.Small.wy (Kaspersky), Trojan-Dropper.Win32.Small.yu (Kaspersky), Trojan-Downloader.Win32.Zlob.g (Kaspersky), Trojan-Downloader.Win32.Zlob.i (Kaspersky), Trojan-Downloader.Win32.Zlob.j (Kaspersky), Trojan-Downloader.Win32.Zlob.k (Kaspersky), Trojan-Downloader.Win32.Zlob.p (Kaspersky), Trojan-Downloader.Win32.Zlob.s (Kaspersky), Downloader-XC (McAfee), Trojan.Zhopa (Symantec), Win32/Zhopa.8993!Trojan, TROJ_ZHOPA.A (Trend), Trojan.Zlob (Symantec), Win32/Zlob!Trojan, TROJ_ZLOB.A (Trend), Trojan.Zlob.B (Symantec), TROJ_ZLOB.C (Trend), W32/Zlob.G (Norman), TROJ_ZLOB.Z (Trend), Troj/Zlob-C (Sophos), Troj/Zlob-F (Sophos), Troj/Zlob-G (Sophos), Troj/Zlob-H (Sophos), Troj/Zlob-I (Sophos)
Immediate Protection Info
Description
Win32.Beovens are a family of downloading trojans. Beovens may be installed by several methods, such as via exploiting a vulnerability in Internet Explorer (MS05-54 Mismatched Document Object Model Objects Memory Corruption Vulnerability) or it may be unwittingly downloaded by users, masquerading as a video codec installer.
Back to top
Method of Infection
Beovens variants may set the following value to ensure they are run at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\wininet.dll = "mscornet.exe"
On execution variants drop a file named "mscornet.exe" into the %System% directory which is then executed. This executable drops a DLL file into the %System% directory with a random filename prefixed with "ld" and appended with the extension ".tmp". For example, ldB605.tmp. This is then injected into "winlogon.exe".
Earlier variants of Beovens dropped the file "msmsgs.exe" into the %System% directory, injected code into "explorer.exe" and set the following registry values:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MSN messenger = "%System%\msmsgs.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run\notepad.exe = "msmsgs.exe"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, msmsgs.exe"
Some variants of the trojan may also register themselves as a service process so that they execute even when the affected user logs off.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Warning: CA has received reports from the wild that this family of trojans is being distributed via message boards. The trojan's writers place a link on a message board to sites with various samples of pornography. When an unsuspecting user clicks on the link to one of these samples, they are confronted by the following message:
The 'new version of codec' is in fact, a new version of Win32/Beovens.
Back to top
Payload
Downloads and Executes Arbitrary Files
Beovens contacts specific domains (see Additional Information below for further detail), and sends information related to the affected system's network connection, operating system and locale. Based on this information it is then instructed to download and execute numerous files, which may include additional malware. Files downloaded by the trojan are placed in a folder "%System%\1024" with random filenames that are prefixed with "ld" and appended by a ".tmp" extension. Beovens can periodically check for component updates as well as repeat failed downloads.
Beovens also stores configuration information in %System%\ncompat.tlb. The information stored in this file can be used by Beovens itself, as well as the other trojans which Beovens downloads.
Earlier variants of Beovens used the directory names "LogFiles" and "__download__" for storing downloaded files.
Beovens has been seen to download the following malware onto an affected machine:
Win32/Spax
Win32/Moiling
Win32/Puper
Win32/DlStwoyle
Win32/Bloon
Win32/Alemod
Win32/Angourd
Win32/Moisho
Win32/Moipro
In the image above, you can see the obvious effects of a Beovens system compromise. This is an example of a machine concurrently running several of the trojans that Beovens is known to download:
- The user's Start page has been changed by Win32/Puper.
- The System warning message and System Alert Balloon are displayed by Win32/Moiling.
- The blue and green shield icons are added to the user's desktop by Win32/Moisho
- The SpyAxe shortcut and the red icon in the system tray are displayed by Win32/Spax.
Back to top
For additional information:
Beovens has been seen to download files from the following domains:
downloadboost.com
hdnsservice.com
gigafreehost.com
kitehosting.com
ware2006.com
filesstore.com
gigs7.com
webmanaged.net
freeprohosting.net
filesget.com
infsecurity.com
pentahosting.net
fhgstr.com
zxserv0.com
vnp7s.net
conboost.com
wloads.com
getyourfile.cc
qkdwnld.com
update05.com
dumpserv.com
readagreement.net
dbdecicated.com
hostthesky.com
bt2n.com
connectpt.net
boostservice.com
Analysis by Amir Fouda and Raymond Roberts
Back to top