*
Microsoft*
Results by Bing
Security 

Malicious Software Encyclopedia: Win32/Berbew

Published: April 26, 2005

The Berbew family of Trojans retrieves passwords stored on an infected system and sends them to a remote Web server. It also acts as a Web proxy, which allows attackers to use the infected system as a relay for remote access to other systems. Users can become infected with Trojans like Berbew in a number of ways: opening unknown e-mail attachments, running downloaded programs, using peer-to-peer file sharing programs.

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Related Security BulletinsRelated Security Bulletins
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Transmission MethodsTransmission Methods

Threat Overview

Class/typeTrojan - Backdoor
Trojan - Data Theft
DiscoveredApril 6, 2004
CirculatingYes
Affected operating systemsWindows 95
Windows 2000
Windows XP
Windows Server 2003
Affected softwareInternet Explorer 5
Internet Explorer 5.5
Internet Explorer 6
Infection ratingMedium
Recovery difficultyDifficult
Damage ratingMedium
Transmission ratingLow

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • McAfee: Backdoor-AXJ
  • Sophos: Troj/Webber
  • Sophos: Troj/Padodor
  • Symantec: Backdoor.Berbew

    • Learn more about the Microsoft Virus Information Alliance.

    Related Security Bulletins

    The following Microsoft Security bulletins are related to this issue:

  • MS04-025 - Cumulative Security Update for Internet Explorer (867801)

    • Technical Analysis

    When this Trojan is run, it creates two files in the system folder: an .exe file and a .dll file. These files have random file names. The .dll file is installed as a shell extension and loaded by Explorer.exe when the system starts. The .dll then loads and runs the .exe file. The Trojan also creates several files that contain user-specific information.
     
    The Trojan acts as a Web proxy, allowing attackers to use the infected system as a relay to access other Web servers.
     
    Later versions of this Trojan also log user's login details for online banking and other financial services. These details are sent to a remote Web server for retrieval by the attackers.
     
    Later versions of this Trojan can also download and install updates from a list of Web sites built into the Trojan.

    How to Prevent Infection

    Take the following steps to help prevent infection on your system:
    • Enable a firewall on your computer
    • Get the latest computer updates
    • Use up-to-date antivirus software
    • Use caution with unknown attachments
    • Do not respond to requests for personal information via e-mail or IM

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft® Windows® XP Internet Connection Firewall.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Highlight a connection that you want to help protect, and click Change settings of this connection.
    4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
    5. Click OK.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows® XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates
    1. Click Start, and click Control Panel
    2. Click Performance and Maintenance. If you do not see Performance and Maintenance , click Switch to Category View.
    3. Click System.
    4. Click Automatic Updates, and select Keep my computer up to date.
    5. Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
    6. If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.

    Use up-to-date antivirus software

    Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection.

    Use caution with unknown attachments

    Use caution before opening unknown e-mail or IM attachments, even if you know the sender. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately, and run up-to-date antivirus software to check your computer for viruses.

    Do not respond to requests for personal information via e-mail or IM

    Microsoft and most legitimate businesses will never ask for passwords, credit card numbers, or other personal information in an e-mail or instant message. If you do receive a message requesting this kind of information, don't respond. If you think the message is legitimate, contact the company by phone or through their Web site to confirm.

    How to Tell If Your Computer Is Infected

    Some customers whose computers have been infected will not notice the presence of this Trojan at all. Other customers may notice crashes or slowdowns during normal operation.

    How to Recover from Infection

    Automatic Recovery
    To attempt to automatically remove this threat, run one of the following removal tools:

    Transmission Methods

    MethodDescription
    Social EngineeringThis Trojan is often downloaded by other downloader Trojans that are sent in e-mail.
    One variant is installed by visiting Web servers that are infected with the Download.Ject Trojan, which exploits Internet Explorer vulnerabilities to download and run the Berbew Trojan.

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement