AAEH Downloader Infection Recovery Guide

Number: TR15-002
Date: 09 April 2015

The content of this report is for information purposes only. Links to websites not under the control of the Government of Canada are provided solely for the convenience of users. The Government of Canada is not responsible for the accuracy, currency or reliability of the content. Each individual user is to make decisions of use based on respective needs and technical capabilities.


The purpose of this product is to provide an overview of AAEH, a polymorphic downloader, and to provide guidance on how to recover from computer systems infected by it.

Systems Affected

Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012


AAEH is a polymorphic downloader, also known as Beebone,Vobfus, VBObfus, or Changeup, that is capable of infecting its victims with additional malware, including banking Trojans, rootkits, fake anti-virus and crypto ransomware.

Discovered in 2009, this polymorphic downloader has remained prevalent by employing several techniques. Once installed, it can spread very quickly across networks, removable drives (USB/CD/DVD), and through zip and rar archive files. Its polymorphic capability allows it to avoid detection by constantly changing with every infection and morphing every few hours. Up to six new variants have been detected daily, with 2.25 million samples known to date.


A system infected with AAEH may be employed to distribute malware, harvest users' credentials for online services, including banking services, and extort money from users by encrypting key files and then demanding payment in order to return the files to a readable state. AAEH is capable of defeating anti-virus products by blocking connections to IP addresses associated with Internet security companies and by preventing anti-virus tools from running on infected machines.


CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment.

Removing AAEH Infections

Below is a list of third party tools that can be used to assist in removing AAEH infections. Due to the nature of the malware, the victim machine may be infected with additional malware such as Zeus, Cryptolocker, ZeroAccess, and Cutwail. CCIRC recommends taking this into consideration when implementing an eradication strategy.

The following links to popular tools are for information purposes only and should not be interpreted as an endorsement of any particular tool or technology:

http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)
http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP)

http://www.mcafee.com/stinger (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)

http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)

http://www.sophos.com/VirusRemoval (Windows XP-SP2 and above)

Trend Micro
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

https://security.symantec.com/nbrt/npe.aspx (Windows XP and above)


International Police Operation Targets Polymorphic BeeBone Botnet

US-CERT Alert (TA15-098A) AAEH

Shadow Server AAEH/Beebone Botnet

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: