Trojan-Downloader.Win32.Genome.bbov

Bookmark and Share

 

1. What is the Trojan-Downloader.Win32.Genome.bbov

Trojan-Downloader.Win32.Genome.bbov is a malicious Trojan that runs in the background and allows hackers remote access to an infected PC. Trojan-Downloader.Win32.Genome.bbov modifies other files on the system by infecting or overwriting them. Trojan-Downloader.Win32.Genome.bbov can also download corrupt files to the local computer that may represent security risk. Trojan-Downloader.Win32.Genome.bbov may be installed on a system when users unknowingly visit malicious websites and uses rootkit technology to evade scanners. Trojan-Downloader.Win32.Genome.bbov poses a severe threat to any computer and should be removed immediately.

 

2.Technical Details:

 

a. The following files were created in the system:

# Filename(s) File Size
1 c:\DelUS.bat 0 bytes
2 %AppData%\InfoBoan_business_s.exe 0 bytes
3 %AppData%\rushmore\rushmore.exe 397,312 bytes
4 %Temp%\nsoC.tmp\SelfDelete.dll
%Temp%\nsoD.tmp\SelfDelete.dll 		24,576 bytes
5 %ProgramFiles%\InfoBoan\InfoBoan.exe 5,870,592 bytes
6 %ProgramFiles%\InfoBoan\InfoBoancfg.exe 1,885,184 bytes
7 %ProgramFiles%\InfoBoan\InfoBoanMon.exe 783,872 bytes
8 %ProgramFiles%\InfoBoan\uninst.exe 151,163 bytes
9 %ProgramFiles%\papa21_v255\papa21_v255.exe 49,152 bytes
10 %ProgramFiles%\papa21_v255\papa21_v255_mucode.bak 14 bytes
11 %ProgramFiles%\papa21_v255\uninstall.exe 32,768 bytes
12 %Windir%\dp_navi21_v120_dboot.dll 23 bytes
13 %Windir%\kp_navi21_v120_keyver.dll 26 bytes
14 %Windir%\kp_navi21_v120_kwlist.dll 33,511 bytes
15 %Windir%\navi21_v120.exe 81,920 bytes
16 %Windir%\sp_navi21_v120_sitever.dll 25 bytes
17 %Windir%\sp_navi21_v120_stlist.dll 1,484 bytes
18 %Windir%\Temp\business.exe 0 bytes
19 %Windir%\Temp\cps_down_v120.exe 28,672 bytes
20 %Windir%\Temp\down_v255_test.exe 36,864 bytes
21 %Windir%\uninstall_v120.exe 40,960 bytes
22 %Windir%\up_navi21_v120_urllist.dll 75 bytes
23 %Windir%\up_navi21_v120_urlver.dll 25 bytes
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
  • The following directories were created:
    • %AppData%\rushmore
    • %Temp%\nsd3.tmp
    • %Temp%\nse5.tmp
    • %ProgramFiles%\papa21_v255_test_9[1]
    • %System%\soii21_v190_1[1]
    • %Temp%\nsoC.tmp
    • %Temp%\nsoD.tmp
    • %ProgramFiles%\InfoBoan
    • %ProgramFiles%\papa21_v255
  • Notes:
    • %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

b. Memory Modifications

  • There was a new process created in the system:

Process Name Process Filename Main Module Size
navi21_v120.exe %Windir%\navi21_v120.exe 81,920 bytes
business.exe %Windir%\temp\business.exe 229,376 bytes

c. Registry Modifications

    • The following Registry Keys were created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cps_exe_v120_8[1]
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\navi21_v120
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\papa21_v255_test_9[1]
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190_1[1]
      • HKEY_LOCAL_MACHINE\SOFTWARE\rushmore
    • The newly created Registry Values are:
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        • soii21_v190 = "%System%\soii21_v190\soii21_v190.exe"
        • papa21_v255 = "%ProgramFiles%\papa21_v255\papa21_v255.exe"
        • navi21_v120 = "%Windir%\navi21_v120.exe"
        • papa21_v255_test_9[1] = "%InternetCache%\content.ie5\4dqbc1mj\papa21_v255_test_9[1].exe"
        • soii21_v190_1[1] = "%InternetCache%\content.ie5\ctmjkpar\soii21_v190_1[1].exe"
        • rushmore = "%AppData%\rushmore\rushmore.exe"
        • cps_exe_v120_8[1] = "%InternetCache%\content.ie5\ctmjkpar\cps_exe_v120_8[1].exe"

        so that papa21_v255.exe runs every time Windows starts
        so that navi21_v120.exe runs every time Windows starts
        so that rushmore.exe runs every time Windows starts
         
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cps_exe_v120_8[1]]
        • DisplayName = "cps_exe_v120_8[1]"
        • UninstallString = "%InternetCache%\content.ie5\ctmjkpar\uninstall_v120.exe"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\navi21_v120]
        • DisplayName = "navi21_v120"
        • UninstallString = "%Windir%\uninstall_v120.exe"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\papa21_v255_test_9[1]]
        • DisplayName = "papa21_v255_test_9[1]"
        • UninstallString = "%ProgramFiles%\papa21_v255_test_9[1]\uninstall.exe"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190]
        • DisplayName = "soii21_v190"
        • UninstallString = "%System%\soii21_v190\uninstall.exe"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190_1[1]]
        • DisplayName = "soii21_v190_1[1]"
        • UninstallString = "%System%\soii21_v190_1[1]\uninstall.exe"
      • [HKEY_LOCAL_MACHINE\SOFTWARE\rushmore]
        • version = "20101018"
        • today = "101022"

    d. Other details

    • The following ports were open in the system:

    Port Protocol Process
    1069 UDP navi21_v120.exe (%Windir%\navi21_v120.exe)
    1070 TCP navi21_v120.exe (%Windir%\navi21_v120.exe)
    1095 TCP business.exe (%Windir%\Temp\business.exe)
    1096 TCP business.exe (%Windir%\Temp\business.exe)

    • There were registered attempts to establish connection with the remote hosts. The connection details are:

    Remote Host Port Number
    115.68.2.15 80
    115.68.4.116 80
    116.125.120.213 80
    116.125.120.236 80
    116.125.120.248 80
    118.218.219.97 80
    • The data identified by the following URLs was then requested from the remote web server:
      • http://115.68.2.15/infob/business.exe
      • http://www.save21.pe.kr/down/m/ver255/down_v255_test.exe
      • http://www.save21.pe.kr/down/m/ver255/papa21_v255_test_9.exe
      • http://www.soii21.pe.kr/act/exelistall.asp?uncode=190
      • http://www.soii21.pe.kr/act/downlist.asp?uncode=190
      • http://www.soii21.pe.kr/userhistory/userconnectall_com.asp?subCode=1&uncode=190&cCode=3255961&mCode=test&lCode=COMPUTERNAME
      • http://www.soii21.pe.kr/act/actexeall.asp?uncode=190&usemcode=test
      • http://www.ns21.pe.kr/DownLoad/c/ver120/cps_down_v120.exe
      • http://www.navi21.pe.kr/newact/exefileall.asp
      • http://www.navi21.pe.kr/newact/exename.asp?uncode=120
      • http://www.navi21.pe.kr/DownLoad/c/ver120/cps_exe_v120_8.exe
      • http://www.navi21.pe.kr/NewAct/GetSiteFileTime.asp
      • http://www.navi21.pe.kr/download/keylist/sitelist.txt
      • http://www.navi21.pe.kr/NewAct/GetKeyFileTime.asp
      • http://www.navi21.pe.kr/download/keylist/keylistnew.txt
      • http://www.navi21.pe.kr/NewAct/GetUrlFileTime.asp
      • http://www.navi21.pe.kr/download/keylist/urllist.txt
      • http://www.navi21.pe.kr/download/c/ver120/uninstall_v120.exe
      • http://www.navi21.pe.kr/NewAct/UserConnectAll.asp?uncode=120&dsend=N&bsend=N
      • http://www.papa21.pe.kr/act/actexeall.asp?uncode=255&usemcode=test
      • http://www.papa21.pe.kr/act/downlist.asp?uncode=255
      • http://www.papa21.pe.kr/userhistory/userconnectall_com.asp?subCode=1&uncode=255&cCode=9023720&mCode=test&lCode=COMPUTERNAME
      • http://www.papa21.pe.kr/userhistory/userconnectall_com.asp?subCode=1&uncode=255&cCode=9023738&mCode=test&lCode=COMPUTERNAME
      • http://www.papa21.pe.kr/act/exelistall.asp?uncode=255
      • http://www.koz21.pe.kr/sub/u/ver190/soii21_v190_1.exe
      • http://www.koz21.pe.kr/sub/u/ver190/uninstall_soii21_v190.exe

     

    3. How-to's

    a. How to prevent the  Trojan-Downloader.Win32.Genome.bbov?

    Please update the policy basic knowledge of Sax2  in time, Once  Ax3soft sax2 detects  the communication of these trojans, it will break them and  ensure your network & business security.

    b. How to Remove the Trojan-Downloader.Win32.Genome.bbov  Manually?

    Step 1 : End Processes
    1. Press "Ctrl" + "Shift" + "Esc" to open the Windows Task Manager.
    2.Click on the "Processes" tab of the Windows Task Manager.
    3. Click on "Show Processes From All Users."
    4. End the following processes. To end a process, right-click on it and select "End Process."
    navi21_v120.exe
    business.exe
    5. Close the Windows Task Manager.

    Step 2 : Delete Files
    1. Click on the "Start" menu and then click on the "Search Programs and Files" box.
    2. Search for and delete the following files. To delete a file, right-click on it and select "Delete."
    c:\DelUS.bat
    %AppData%\InfoBoan_business_s.exe
    %AppData%\rushmore\rushmore.exe
    %Temp%\nsoC.tmp\SelfDelete.dll
    %Temp%\nsoD.tmp\SelfDelete.dll
    %ProgramFiles%\InfoBoan\InfoBoan.exe
    %ProgramFiles%\InfoBoan\InfoBoancfg.exe
    %ProgramFiles%\InfoBoan\InfoBoanMon.exe
    %ProgramFiles%\InfoBoan\uninst.exe
    %ProgramFiles%\papa21_v255\papa21_v255.exe
    %ProgramFiles%\papa21_v255\papa21_v255_mucode.bak
    %ProgramFiles%\papa21_v255\uninstall.exe
    %Windir%\dp_navi21_v120_dboot.dll
    %Windir%\kp_navi21_v120_keyver.dll
    %Windir%\kp_navi21_v120_kwlist.dll
    %Windir%\navi21_v120.exe
    %Windir%\sp_navi21_v120_sitever.dll
    %Windir%\sp_navi21_v120_stlist.dll
    %Windir%\Temp\business.exe
    %Windir%\Temp\cps_down_v120.exe
    Trojan-Downloader.Win32.VB [Ikarus]
    Win-Trojan/Adload.28672.AV [AhnLab]
    %Windir%\Temp\down_v255_test.exe
    Win-Trojan/Spack.36864.F [AhnLab]
    %Windir%\uninstall_v120.exe
    %Windir%\up_navi21_v120_urllist.dll
    %Windir%\up_navi21_v120_urlver.dll

    %AppData%\rushmore
    %Temp%\nsd3.tmp
    %Temp%\nse5.tmp
    %ProgramFiles%\papa21_v255_test_9[1]
    %System%\soii21_v190_1[1]
    %Temp%\nsoC.tmp
    %Temp%\nsoD.tmp
    %ProgramFiles%\InfoBoan
    %ProgramFiles%\papa21_v255
     

    Step 3 : Remove These Trojan-Downloader.Win32.Genome.bbov removal Registry Values

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cps_exe_v120_8[1]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\navi21_v120
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\papa21_v255_test_9[1]
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190_1[1]
    HKEY_LOCAL_MACHINE\SOFTWARE\rushmore

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      soii21_v190 = "%System%\soii21_v190\soii21_v190.exe"
      papa21_v255 = "%ProgramFiles%\papa21_v255\papa21_v255.exe"
      navi21_v120 = "%Windir%\navi21_v120.exe"
      papa21_v255_test_9[1] = "%InternetCache%\content.ie5\4dqbc1mj\papa21_v255_test_9[1].exe"
      soii21_v190_1[1] = "%InternetCache%\content.ie5\ctmjkpar\soii21_v190_1[1].exe"
      rushmore = "%AppData%\rushmore\rushmore.exe"
      cps_exe_v120_8[1] = "%InternetCache%\content.ie5\ctmjkpar\cps_exe_v120_8[1].exe"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cps_exe_v120_8[1]]
      DisplayName = "cps_exe_v120_8[1]"
      UninstallString = "%InternetCache%\content.ie5\ctmjkpar\uninstall_v120.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\navi21_v120]
      DisplayName = "navi21_v120"
      UninstallString = "%Windir%\uninstall_v120.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\papa21_v255_test_9[1]]
      DisplayName = "papa21_v255_test_9[1]"
      UninstallString = "%ProgramFiles%\papa21_v255_test_9[1]\uninstall.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190]
      DisplayName = "soii21_v190"
      UninstallString = "%System%\soii21_v190\uninstall.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\soii21_v190_1[1]]
      DisplayName = "soii21_v190_1[1]"
      UninstallString = "%System%\soii21_v190_1[1]\uninstall.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\rushmore]
      version = "20101018"
      today = "101022"

    c. How to Remove these trojans Instantly?

    Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the  Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

     

    4. Appendix

    For more information, please visit  http://www.ids-sax2.com/ComputerSecurityNewsletter.htm

    		•