McAfee > Theat Center > Virus Detail Page

Overview

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

When this Trojan is executed, it drops following files:

%System%\bekbn.dll (http://vil.nai.com/vil/content/v_160660.htm)
%\System%\inform.dat
%\System%\fkas

Note:

%System% is a variable location and refers to the windows system directory
This Trojan by itself doesn’t create any startup registry entries, and hence doesn’t execute on system startup
The dropped dll is registered as a BHO by the trojan.

It creates following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\InprocServer32

• Default ="bekbn.dll" 
• ThreadingModel = "Appartment"

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\ProgID\

• Default ="glok"

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\TypeLib\

• Default = "{9442242A-F8B0-4dcb-94FB-F49515A3D19D}"

It tries to connect to"grea[removed].info" on TCP port 80.

Symptoms

Presence of files and registry keys mentioned earlier is a good symptom of being infected by this Trojan.

Method of Infection

This password stealer may spread via removable devices.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants

N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

When this Trojan is executed, it drops following files:

%System%\bekbn.dll (http://vil.nai.com/vil/content/v_160660.htm)
%\System%\inform.dat
%\System%\fkas

Note:

%System% is a variable location and refers to the windows system directory
This Trojan by itself doesn’t create any startup registry entries, and hence doesn’t execute on system startup
The dropped dll is registered as a BHO by the trojan.

It creates following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\InprocServer32

• Default ="bekbn.dll" 
• ThreadingModel = "Appartment"

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\ProgID\

• Default ="glok"

HKCR\CLSID\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}\TypeLib\

• Default = "{9442242A-F8B0-4dcb-94FB-F49515A3D19D}"

It tries to connect to"grea[removed].info" on TCP port 80.

Symptoms

Symptoms -

Presence of files and registry keys mentioned earlier is a good symptom of being infected by this Trojan.

Method of Infection

Method of Infection -

This password stealer may spread via removable devices.

Infection starts either with manual execution of the infected file or by simply navigating to the folders containing the infected files, whereby the “Autorun.inf” file could cause automatic execution of the worm.

The malware can also spread manually, under the premise that the executable is something beneficial. It may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.

Removal -

Removal -

Use current engine and DAT files for detection and removal.Removal requires removing the entry in the SYSTEM.INI file and restart to MS-DOS mode to delete the file manually from the Windows and Windows\System folders.

Variants

Variants -

N/A