Trojan Bearfoos

[Giraldo Allain]

Abouta month ago, I used PyInstaller and Inno Setup to produce an installer for my Python 3 script. My AVG Business Edition AntiVirus just started complaining with today's update that the program has an SCGeneric Trojan Horse in the main .exe file used to start the program (in the folder created by PyInstaller that has all of the Python "guts"). At first I just thought it was a false positive in AVG, but submitting the .exe file to VirusTotal I get this analysis:

PyInstaller comes with pre-compiled bootloader binaries for different OSs. I suggest compile them by yourself on your machine. Make sure everything is consistent on your machine. For Windows 64-bit, install Python 64-bit. Download PyInstaller 64-bit for Windows. Make sure Visual Studio (VS) corresponding to your Python is installed, check below:

Compile the bootloader of PyInstaller on your machine with VS. It automatically updates the run.exe, runw.exe, run_d.exe, runw_d.exe in DownloadedPyinstallerFolder\PyInstaller\bootloader\Windows-64bit. Check below for more info on how to compile the bootloader:

I was able to submit the file in question to AVG's "Report a false detection" page, at -sample. I received a response back fairly quickly (I can't remember exactly how long, but it was less than a day) that they had analyzed my file and determined that it did not have a virus. They said that they had adjusted their virus definitions so that it would not trigger a false positive anymore. I updated my definitions and it was still triggering, so I contacted them again with my virus definition version, and I heard back that the version I had wasn't high enough - I think there was some delay on my definitions because I get them from a local server. But within a day I had the right version of the definitions and the false positive didn't trigger anymore.

In my case the first exe build was accepted by the antivirus (Windows Defender) but subsequent builds were flagged as having a trojan.I solved it by using the pyinstaller --clean option every time I built the executable

And by the way it didn't work on 3.4.0 so I just randomly picked that version(4.1) and its pretty good looking so far :>I'm pretty sure that it works on more than only that one version but that i experienced personally

I had a similar problem with a pyinstaller exe under Windows. Avira put that file into quarantine since it was considered potentially dangerous (due to heuristics, which means that some segments look typical for a virus, but no virus is actually found).

Keep in mind that the exe files you generate yourself are unique (as a consequence, the Avast scanner usually returns a message "you have found a rare file, we are doing a quick test", and delays execution for 15 seconds to perform a more thorough test).

I tried to do it with PyInstaller, but the error remained, the way I had to resolve this situation was, instead of using PyInstaller I used the Cx-Freeze library, it helped me with the problem, the only difference is that setup.py must be used.

The Bearfoos Trojan as a dangerous new threat is being released on the Internet to gamers worldwide mainly via malicious Dungeon Fighter Online game files. There is no information available about the hackers behind it, we presume that they may be experienced as they have been able to integrate malicious code into such payload carriers.

Every single attack campaign can feature a different malware tactic. This includes the most common ones such as information harvesting, removal and bypass of security software and changing important computer parameters. Most of the samples will make modifications to the Windows Registry thereby leading to possible performance issues and loss of data.

The Bearfoos Trojan can be spread using a variety of different tactics. There are many variants of it which are spread using various collectives. Our security research shows that there are many versions using the Bearfoos name and alternatives as well. This allows the criminal collectives to launch a multitude of attacks bearing different versions of the malware.

One of the main techniques is the coordination of phishing email messages which coerce the victims to interact with the included content. They are designed to appear as legitimate notifications sent from well-known services and companies. The Bearfoos Trojan files can be either attached or inserted as text links.

Hacker-made sites that pose as legitimate download portals, search engines and software product pages will scam the users into downloading and running the application. They are generally hosted on domains that sound similar to popular sources and may include self-signed security certificates.

To increase the number of infected victims the criminals can also place the Bearfoos Trojan in payload carriers such as macro-infected documents and malware application bundles. They are widely downloaded from the Internet by end users and may be found on file-sharing sites as well like BitTorrent.

The Bearfoos Trojan upon execution will start its infection process as soon as the infection occurs. Its main goal is to start a secure and persistent connection to a hacker-controlled server. It allows the criminals to take over control of the affected computers, steal their data and deploy other threats.

Such malware can execute many different tactics depending on the exact attack campaign. Most of them are used in order to serve as payload carriers for other threats. Popular options are the following:

While both can damage a computer system, the effects of a virus are generally more easily noticed as the virus will attempt to spread itself to other computers by replicating itself, whereas, trojans such as Bearfoos may stay on the system undetected, slowly causing havoc.

SpyHunter stands out as a preferred solution for removing dangerous malware such as the Bearfoos Trojan due to its comprehensive scanning mechanism and user-friendly interface. It goes beyond surface-level scans, delving deep into the system to identify and neutralize threats that other software might overlook. Moreover, SpyHunter is constantly updated to fight against latest malware variants, ensuring your system remains safeguarded against new threats.

The software is particularly beneficial for users who may not possess extensive technical knowledge. Its intuitive design simplifies the malware removal process, allowing users to secure their systems with just a few clicks. Furthermore, in scenarios where malware proves challenging to eliminate, SpyHunter offers personalized support through its Spyware HelpDesk, providing tailored assistance for complex issues.

In summary, while manual removal is an option for those with the requisite expertise, using SpyHunter is recommended for most users. Its effectiveness, combined with ease of use and dedicated support, makes it an invaluable tool in the fight against FakeBat loader malware and other security threats.

Creating and maintaining robust backups not only helps in quick recovery from cyber incidents but also significantly minimizes potential data loss, making it an indispensable part of your cybersecurity toolkit.

It is recommended to run a scan before purchasing the full version of the software to make sure that the current version of the malware can be detected by SpyHunter. Click on the corresponding links to check SpyHunter's EULA, Privacy Policy and Threat Assessment Criteria.

4. After SpyHunter has finished scanning your PC for any files of the associated threat and found them, you can try to get them removed automatically and permanently by clicking on the 'Next' button.

If any threats have been removed, it is highly recommended to restart your PC.Step 2: Clean any registries, created by Bearfoos Trojan on your computer.The usually targeted registries of Windows machines are the following:

3. You can remove the value of the virus by right-clicking on it and removing it. Tip: To find a virus-created value, you can right-click on it and click "Modify" to see which file it is set to run. If this is the virus file location, remove the value.

3: After that type the name of the file you are looking for and click on the Search button. This might take some time after which results will appear. If you have found the malicious file, you may copy or open its location by right-clicking on it.

Yes, Trojans, like Bearfoos Trojan, can steal passwords. These malicious programs are designed to gain access to a user's computer, spy on victims and steal sensitive information such as banking details and passwords.

Yes, a Trojan can be removed by factory resetting your device. This is because it will restore the device to its original state, eliminating any malicious software that may have been installed. Bear in mind, that there are more sophisticated Trojans, that leave backdoors and reinfect even after factory reset.

Yes, it is possible for a Trojan to infect WiFi networks. When a user connects to the infected network, the Trojan can spread to other connected devices and can access sensitive information on the network.

Yes, Trojans can be deleted. This is typically done by running a powerful anti-virus or anti-malware program that is designed to detect and remove malicious files. In some cases, manual deletion of the Trojan may also be necessary.

Anti-malware programs such as SpyHunter are capable of scanning for and removing Trojans from your computer. It is important to keep your anti-malware up to date and regularly scan your system for any malicious software.

Yes, Trojans can infect USB devices. USB Trojans typically spread through malicious files downloaded from the internet or shared via email, allowing the hacker to gain access to a user's confidential data.

3a8082e126