Bayrob Trojan Latest Version Clones Itself, Launches Multiple Processes

Bayrob Trojan Latest Version Clones Itself, Launches Multiple Processes

Trojan-HorseA rather strong wave of old malware is resurfacing the Web. In this article we will analyze the Bayrob Trojan (Win32/Bayrob, Trojan.Bayrob!gen8, Trojan.Bayrob) which hasn’t been active for at least 9 years. The threat has been updated and set on the loose. Bayrob’s malicious code is now more precise and is up-to-date with recent malware.

Threat Summary

NameBayrob Trojan
TypeTrojan, Infostealer, Backdoor
Short DescriptionThe Trojan hasn’t been active for over 9 years, but has been just caught active by security researchers.
Symptoms An error message is displayed “This application is not compatible with the recent version of Windows you’re running…”.
Distribution MethodSpam email attachments.
Detection Tool See If Your System Has Been Affected by Bayrob Trojan


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Bayrob Trojan.

A Look into Bayrob’s Latest Infections

Bayrob December 2015

Bayrob hasn’t been active since 2007, at least not in aggressive and widely-spread campaigns. However, the threat re-emerged last winter, in December, when it was spotted again by security researchers. Bayrob was spreading via malicious attachments in emails trying to impersonate Amazon.

Bayrob classifies as an infostealer and a backdoor type of Trojan. During December’s attacks, the Trojan was set to steal and send to a command and control server the following details from a victim’s machine:

  • OS version
  • Computer Name
  • PC’s IP Address
  • Information about the OS and system settings
  • MAC address
  • List of running services

Bayrob was spotted active again about 2 weeks ago. Apparently, the Trojan has new versions and its code has been modified to evade reverse engineering and detection.

Bayrob Version 2016

What hasn’t been changed in Bayrob’s code? In both its past and current attacks, the Trojan is designed to set up a proxy server to steal sensitive information from victim machines. What’s new in Bayrob is its improved capability to avoid detection and clone itself to launch multiple processes. Each of the processes (services) has its own malicious task to handle.

Fortinet researchers have discovered that Bayrob’s original sample:

drops one copy of itself, runs the first copy, and exits. The name of the first copy is a fixed prefix (“ulms” in the sample we analyzed), appended with a randomly generated string. The original process also displays a fake error message to hide its actual malicious behavior. Below [see picture] shows how it achieves this and the actual message. The first copy then drops another copy of itself. It also creates and starts a service, as shown below. The service runs major tasks such as C&C communication.


Bayrob is also capable of differentiating its running stage in the multiple processes/services by file names. The Trojan also drops identifiers to recognize its lifecycle stage.

Its latest versions are also set to perform code obfuscation, use dead code and apply encryption. Bayrob is now able to encrypt data while harvesting and exfiltrating data from the victim’s computer. The encryption usually gets in the way of security researchers’ analysis and anti-malware software’s detection.

Learn More about Code Obfuscation

Bayrob’s communications with its command & control server are also encrypted, and it also uses a custom protocol over TCP/IP.

Finally, here is a list of Bayrob’s detection names, via VirusTotal:

  • Trojan.Bayrob.1 [Dr.Web]
  • a variant of Win32/Bayrob.AA [ESET-NOD32]
  • W32/Bayrob.T!tr [Fortinet]
  • Trojan.Win32.Bayrob [Ikarus]
  • TrojanSpy:Win32/Nivdort.AF [Microsoft]
  • Mal/Bayrob-B [Sophos]
  • TROJ_BAYROB.SM0 [TrendMicro-HouseCall]
  • Gen:Variant.Diley.1 [Bitdefender]
  • Win32/Cryptor [AVG]

Remove Bayrob Trojan and Protect Your System

As with other Trojans, the most secure way to prevent an infection is via having an active anti-malware protection on the system. If you have been affected, refer to the removal steps below to try and remove the Trojan completely, automatically or manually.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share