Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Bayrob Trojan Latest Version Clones Itself, Launches Multiple Processes

Trojan-HorseA rather strong wave of old malware is resurfacing the Web. In this article we will analyze the Bayrob Trojan (Win32/Bayrob, Trojan.Bayrob!gen8, Trojan.Bayrob) which hasn’t been active for at least 9 years. The threat has been updated and set on the loose. Bayrob’s malicious code is now more precise and is up-to-date with recent malware.

Threat Summary

Name Bayrob Trojan
Type Trojan, Infostealer, Backdoor
Short Description The Trojan hasn’t been active for over 9 years, but has been just caught active by security researchers.
Symptoms An error message is displayed “This application is not compatible with the recent version of Windows you’re running…”.
Distribution Method Spam email attachments.
Detection Tool See If Your System Has Been Affected by Bayrob Trojan

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Bayrob Trojan.

A Look into Bayrob’s Latest Infections

Bayrob December 2015

Bayrob hasn’t been active since 2007, at least not in aggressive and widely-spread campaigns. However, the threat re-emerged last winter, in December, when it was spotted again by security researchers. Bayrob was spreading via malicious attachments in emails trying to impersonate Amazon.

Bayrob classifies as an infostealer and a backdoor type of Trojan. During December’s attacks, the Trojan was set to steal and send to a command and control server the following details from a victim’s machine:

  • OS version
  • Computer Name
  • PC’s IP Address
  • Information about the OS and system settings
  • MAC address
  • List of running services

Bayrob was spotted active again about 2 weeks ago. Apparently, the Trojan has new versions and its code has been modified to evade reverse engineering and detection.

Bayrob Version 2016

What hasn’t been changed in Bayrob’s code? In both its past and current attacks, the Trojan is designed to set up a proxy server to steal sensitive information from victim machines. What’s new in Bayrob is its improved capability to avoid detection and clone itself to launch multiple processes. Each of the processes (services) has its own malicious task to handle.

Fortinet researchers have discovered that Bayrob’s original sample:

drops one copy of itself, runs the first copy, and exits. The name of the first copy is a fixed prefix (“ulms” in the sample we analyzed), appended with a randomly generated string. The original process also displays a fake error message to hide its actual malicious behavior. Below [see picture] shows how it achieves this and the actual message. The first copy then drops another copy of itself. It also creates and starts a service, as shown below. The service runs major tasks such as C&C communication.

bayrob-error-message-fortinet-stforum

Bayrob is also capable of differentiating its running stage in the multiple processes/services by file names. The Trojan also drops identifiers to recognize its lifecycle stage.

Its latest versions are also set to perform code obfuscation, use dead code and apply encryption. Bayrob is now able to encrypt data while harvesting and exfiltrating data from the victim’s computer. The encryption usually gets in the way of security researchers’ analysis and anti-malware software’s detection.

Learn More about Code Obfuscation

Bayrob’s communications with its command & control server are also encrypted, and it also uses a custom protocol over TCP/IP.

Finally, here is a list of Bayrob’s detection names, via VirusTotal:

  • Trojan.Bayrob.1 [Dr.Web]
  • a variant of Win32/Bayrob.AA [ESET-NOD32]
  • W32/Bayrob.T!tr [Fortinet]
  • Trojan.Win32.Bayrob [Ikarus]
  • TrojanSpy:Win32/Nivdort.AF [Microsoft]
  • Mal/Bayrob-B [Sophos]
  • TROJ_BAYROB.SM0 [TrendMicro-HouseCall]
  • Gen:Variant.Diley.1 [Bitdefender]
  • Win32/Cryptor [AVG]

Remove Bayrob Trojan and Protect Your System

As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely, automatically or manually.

Manually delete Bayrob Trojan from Windows

Note! Substantial notification about the Bayrob Trojan threat: Manual removal of Bayrob Trojan requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Remove or Uninstall Bayrob Trojan in Windows
2. Fix registry entries created by Bayrob Trojan on your PC

Automatically remove Bayrob Trojan by downloading an advanced anti-malware program

1. Remove Bayrob Trojan with SpyHunter Anti-Malware Tool
Optional: Using Alternative Anti-Malware Tools

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.