Follow:

 

Win32/Beebone


Microsoft security software detects and removes this threat.

The threat is a family of Visual Basic-compiled trojan downloaders that download and run other malware, such as: 

Find out ways that malware can get on your PC



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Some of these threat variants can get onto your PC from drive-by download activities through some social engineering tactics. It might have been downloaded and run by other malware, such as a variant of the Worm:Win32/Vobfus family.

Other variants might be installed if you click any of the following:

  • A malicious link posted on social networking sites
  • A malicious link sent through an instant messaging program
  • A link with an enticing file name that might have been shared on a public file sharing network

We have seen variants use the following names, which indicate they are trying to appear as software key generators or cracks:

  • 360Amigo System Speedup 1.2.1.5800 Pro Portable.exe
  • 4 Elements II - Collector's Edition - Full PreCracked.exe
  • 4U Download YouTube Video 4.2.8.exe
  • 7 Wonders IV Magical Mystery Tour (Final).exe
  • A Selection of Courses for SolidWorks SolidProfessor Completed DVD 2011-CWZ.exe
  • Abvent Artlantis Studio v3.0.6-BEAN.exe
  • Ace Combat Assault Horizon KEYGEN CRACK for PC - MAC - PS.exe
  • Acrobat X Pro 10 (Portable).exe
  • Adobe Acrobat Pro X 10.0.1.434.exe
Payload

Downloads other malware

This threat contacts remote hosts to download other malware. We have seen this threat download the following:

For more information about how it downloads this malware, see the Additional information section below.

After it downloads other malware, it stops running, and deletes the copy of itself by running the following command: 

"cmd.exe /c tasklist&&del {Malware Path}

Contacts remote hosts 

In the wild, we have seen that Win32/Beebone tries to connect to the following hosts:

  • 3d-game.com
  • 65512.eu
  • adultdns.net
  • bbsindex.com
  • brenz.pl
  • checktech.eu
  • checkusb.eu
  • chkdtdns.net
  • cpuchecks.com
  • ddns01.com
  • ddns01.eu
  • ddns1.eu
  • ddnsd.at
  • ddnsd.eu   
  • ddnsx.eu
  • dnsd.me
  • dtdns.net
  • etowns.net
  • fe100.net
  • grsyl.com
  • kdns01.kz
  • no-ip1.com
  • noip.at
  • noip01.org
  • noip02.com
  • noip1.at
  • noip1.com
  • noip1.de   
  • noip1.info
  • noip1.nl
  • noip1.org
  • noip2.at
  • noip2.com
  • noip2.net
  • noip2.nl
  • noips.me
  • noipx.net
  • noipz.com
  • noipz.net
  • noipz.org
  • phone423checker.tk
  • s3h.net     
  • selfip.me
  • slyip.com
  • somee.com
  • ssh01.com
  • suroot.com
  • time2check.info
  • ttl60.org
  • vigg.net
  • voip01.com
  • wiggy.me
  • wow64.net
  • zdns.eu
  • zigg.me
  • zma.me   
       

Some of the hosts appear to be using domain names similar to dynamic DNS service providers.

These threats use the following ports to access the remote servers:    

  • 443
  • 8080
  • 23345
  • 27000
  • 30980
  • 34511
  • 40009
  • 41001
  • 43401
  • 46361
  • 58897
  • 60077
  • 60088
  • 60099
  • 60777

The malware family might access those domains and remote servers to:

  • Download and run files (including updates or other malware).
  • Report a new infection to its author.
  • Receive configuration or other data.
  • Receive instructions from a malicious hacker.
  • Upload information taken from your PC.

While some of these servers are located in eastern Europe, we have seen the threat generally targeting users in the US, South America and Asia. Peru, Mexico, and the US have the largest infection numbers, while infections in Europe are not high.

For more information about how it contacts these remote hosts, see the Additional information section below.

This malware family might also have the following executable icon:

Additional information

Older variants of this malware family shows the following behavior when they run:

Malware behavior Examples

Makes an HTTP request, usually in the following format:

{random}.{domain}:{port}/{letter}/

 

  • 001updates.zma.me:23345/b/  
  • updates9845.fe100.net:60077/i/  
  • updateminute.dnsd.me:8080/b/
  • windows-update.zigg.me:41001/a/
  • winupdateserver1.s3h.net:30980/a/

The server replies to the HTTP request with a comma-separated list of the locations where Beebone can download malicious files to your computer.

 

It can send an HTTP request to the following URI:
  • windows-update.zigg.me:41001/a/

The server then replies with a comma-separated list that looks like this:

76876332/1,76876332/2,76876332/bb1,76876332/z

 

 

 

 The download file locations are:
  • windows-update.zigg.me:41001/a/76876332/1
  • windows-update.zigg.me:41001/a/76876332/2
  • windows-update.zigg.me:41001/a/76876332/bb1
  • windows-update.zigg.me:41001/a/76876332/z

Recent variants of this threat family shows the following behavior when they run:

Malware behavior Examples

Makes an HTTP request in the following format:

{random}.{domain}:{port}/{number}/?
{affiliate_id}|{hdserial}{username}

 

 

  • 37462.ddnsx.eu:443/1/?b|-2020396961winxp
  • 37480.noip1.at:443/2/?f|-1396129654Guest
  • 46546.dtdns.net:443/9/?a|-1312965453MyPC
  • 62951.noipx.net:8080/0/?f|-2713912961Developer
  • 86788.noip1.com:8080/0/?b|-5711296542Windows7
  • 88793.ddns1.eu:443/1/?a|-1296545361Administrator
  • 99088.noip2.net:8080/0/?f|-1813912965Admin

 

Other variants make an HTTP request using IP addresses, using the following format:

http://{ip address}:{port}/{random numbers}/?{first letter of malware’s filename}|{hd_serial}{username}

  • hxxp://146.255.195.124:60002/8567645/?m|-1234567890Administrator
  • hxxp://91.237.247.11:37766/771232/?j|-2345678901GuestUser01

Uses specific HTTP UserAgent when requesting to the malware server.

 

It uses the following User Agent string:

"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1)"

 

The malware replies back to the HTTP request with encrypted data.

The encrypted data are decrypted, showing a comma-separated URL list of the files to be downloaded to your computer.

 

The decrypted data might look like the following:

899056.noip2.nl:443/v/?75,hxxp://799056.noip2.nl:443/1/?n1,hxxp://799056.noip2.nl:443/1/?s1 

 

The downloaded files are also encrypted, but will later be decrypted, then saved to your computer.

 

 

 

File names of the downloaded files can have the following format:
  • {number}{random}.exe, or
  • z{random}.exe, or
  • start1.exe, or
  • runme.exe

Runs the saved files, most often from the %USERPROFILE% folder.

 

 

Checks for the following modules. If any of these modules are present in memory, Beebone will not run its malicious routine.

These modules are checked to determine if:

  • The malware is being debugged (dbghelp.dll)
  • The malware is in a sandbox (sbiedll.dll)
  • AVAST antivirus (snxhk.dll) is running in the system
  • dbghelp.dll
  • sbiedll.dll
  • snxhk.dll

 

 

Checks to see if your computer is running in a virtual machine environment by checking for the following string in the registry key "HKLM\System\ControlSet001\Services\Disk\Enum\0".

If it finds any of the sample strings, the trojan will not run.

  • VBOX
  • VIRTUAL
  • VMWARE
  • QEMU

Uses anti-debugging techniques.

 

 

If one of the above DLLs are running on your computer, Beebone will not run its malicious routine.

It checks the snxhk.dll module to determine if AVAST antivirus is installed on your computer.

 

 In the wild, we have seen these threats use the following file names:

  • 0wxm.exe
  • 1hhy.exe
  • 2gy.exe
  • 4meu.exe
  • 5rry.exe
  • zyyp.exe

The names of the downloaded files are now using the format: {random numbers}.exe.

Example:

  • 1165.exe
  • 1098.exe

These files might be detected as variants of the following families:

Related reading

Analysis by Allan Sepillo


Symptoms

System changes

The following can indicate that you have this threat on your PC:

  • You have these files:
    • 0wxm.exe
    • 1hhy.exe
    • 2gy.exe
    • 4meu.exe
    • 5rry.exe
    • zyyp.exe
  • You see this malware family use the following executable icons:


Prevention


Alert level: Severe
This entry was first published on: Mar 13, 2013
This entry was updated on: Jan 07, 2015

This threat is also detected as:
No known aliases