Win32/Beenut is a family of trojan downloaders that download files from various URLs to the host computer and then run the downloaded files. A Win32/Beenut trojan may also copy itself to the host computer, modifying the registry so the copy of itself runs each time Windows starts.
Use the following free Microsoft software to detect and remove this threat:
Win32/Beenut is a family of trojans that download files from various URLs to the host computer and then run the downloaded files. The Win32/Beenut downloader trojans use HTTP over TCP port 80 for the file transfer.
Some variants of the Win32/Beenut family copy themselves to the host computer. For example, the Trojan may create a copy of itself in the system folder with a name such as "7552504d.exe", and may create a copy with the same name in folder C:\Documents and Settings\<user name>\Local Settings\Application Data. A variant that creates local copies of itself in this manner typically modifies the registry in order to run automatically each time Windows starts. For example, using the aforementioned file names, the following registry modifications may be made:
Adds value: 7552504d.exe with data: C:\Documents and Settings\<user name>\Local Settings\Application Data\7552504d.exe in subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: 7552504d.exe with data: <system folder>\7552504d.exe in subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The size of the trojan file varies and strings in the file may be encrypted in an attempt to thwart scanner detection.