BS2005

BS2005 is not a new infection. In fact, it was first discovered back in 2012, but because it is still active, and the creator (Operation Ke3chang) still continues to create new malware tools, we need to talk about it. This malware is identified as a Trojan, which means that it uses disguises to slither into an operating system and remain silent until the time to strike comes. In fact, this Trojan can remain silent forever because it does not have an interface, and its malicious processes can be performed silently. Needless to say, that makes it harder to identify and delete the malicious threat, and deleting it is very important. According to our malware research team, if you do not remove BS2005 immediately, it can record sensitive data and download other malicious files to expand the privileges of remote attackers. So, is this Trojan active on your operating system? Do you need to eliminate it? Continue reading to learn all about it.

Back when BS2005 was most active, it was exploiting the well-known CVE-2015-2545 vulnerability. This vulnerability was discovered in 2015, and it affected 2007 SP3, 2010 SP2, 2013 SP1, and 2013 RT SP1 Microsoft Office versions. Using it, the attackers behind BS2005 were able to set up misleading phishing emails to trick users into executing the threat by opening a corrupted attachment. Most notably, the attack was targeted at Indian embassies all over the world, but other targets existed too. Right now, the methods of distribution could have changed, and the Trojan could be targeting new agencies, organizations, or even companies. That being said, patching the CVE-2015-2545 vulnerability is exceptionally important. This patch was included in the MS15-099 Microsoft update, and so only extremely outdated systems should not have it applied already. Without a doubt, if automatic updates were turned off, or if the vulnerable device was not in use for years, all missed updates must be installed immediately for security reasons. Note that CVE-2015-2545 is NOT the only vulnerability that could help cyber criminals drop malware.

If the malicious BS2005 can slither into an operating system without notice, it is likely to install itself to %ALLUSERSPROFILE%\IEHelper\ as mshtml.dll, but the location and the name of the file could be different in your case. Once the infection is settled, it can start recording information about the victim’s computer. This can help the attackers plan their next moves better. The most important task for BS2005, of course, is to create and delete files, as well as run shell commands. This is how the infection can open up a crack for other dangerous infections to slither in. More recently, a backdoor named Okrum was discovered by malware researchers, and this backdoor was primarily used to drop Ketrican malware. The interesting thing about this malware is that it appears to be derived from the malicious code of BS2005. That means that a new version of the same infection could have been further developed, and the behavior of this malware could be different. Ultimately, hundreds and thousands of Trojans exist, and it is your responsibility to secure your operating system against them all. If you do not do it, you might end up having to remove many different threats, and your virtual security could be seriously jeopardized.

According to our research team, if BS2005 is discovered by a legitimate malware scanner, it is likely that you will find it installed in the %ALLUSERSPROFILE%\IEHelper\ folder. Hopefully, that is the case, and you can delete BS2005 without much trouble. Unfortunately, even if you remove all active infections, your system’s security will not be guaranteed. To ensure that new threats cannot slither in again, you need to establish reliable protection, and we strongly recommend installing legitimate anti-malware software to control the situation. First of all, it will automatically eliminate all active infections. Second, it will secure your system and make sure that new threats cannot slither in again. Of course, you have to do your part as well. First and foremost, do NOT interact with suspicious emails that ask you to open links or attachments. Second, do NOT download unfamiliar programs/files from unreliable sources. Third, do NOT skip Windows security updates because they are likely to include important patches for existing vulnerabilities.

BS2005 Removal

1. Tap keys Win+E to launch Windows Explorer.
2. Enter %ALLUSERSPROFILE% into the field at the top.
3. Check for a folder named IEHelper with a file named mshtml.dll inside.
4. If you can find it, right-click it and choose Delete.
5. Empty Recycle Bin.
6. Install and run a legitimate malware scanner to check which other threats might require removal.