Trojan:WinNT/Bibei.A is a driver component installed by TrojanDropper:Win32/Bibei.A on an affected computer. It is used to connect to a remote server and download other malware.
Installation
Trojan:WinNT/Bibei.A is a rootkit driver installed by TrojanDropper:Win32/Bibei.A to decrypt and install other components. It is dropped in the Windows system drivers folder with a random file name, for example:
- <system folder>\drivers\oqdnhwfb.sys
- <system folder>\drivers\xrxzrhxj.sys
- <system folder>\drivers\Nlyvtlry.sys
- <system folder>\drivers\duapremn.sys
Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
It registers itself as a service by creating the following registry keys:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\<random name>
Sets value: "Type"
With data: "dword:00000001"
Sets value: "Start"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "<system folder>\drivers\<random name>"
The dropper TrojanDropper:Win32/Bibei.A may also drop the following files along with Trojan:WinNT/Bibei.A:
- %windir%\msvstat.dat
- %windir%\KB1b3i89.dat
- %windir%\mphe8qwn.dat
When executed, Trojan:WinNT/Bibei.A decrypts part of its malicious code and injects it into the process "explorer.exe".
Payload
Downloads other malware
Trojan:WinNT/Bibei.A connects to the following servers to download certain encrypted files:
- uul<removed>.info
- w<removed>rank.net
The files it attempts to download are the following:
- <server>/cdlogo.jpg
- <server>/vd.jpg
- <server>/vvlogo.jpg
When decrypted, the resulting executable files are detected as either TrojanDownloader:Win32/Bibei.A or TrojanDownloader:Win32/Bibei.B.
Analysis by Mihai Calota
