My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Boaxxe.C

MEDIUM
LOW
88-120 Kbytes
(Trojan:Win32/Boaxxe.B (OneCare) TR/ATRAPS.Gen (Avira) )

Symptoms

When infected, Internet Explorer can display message boxes showing fake warnings and recommending the installation of some rogue antimalware software.

fake alert message


Regardless of the user's option, Internet Explorer then opens the download site for the afore mentioned software.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Deac Razvan-Ioan, virus researcher

Technical Description:

When run, the malware registers itself as a Browser Helper Object by creating the following registry keys:
HKCR\CLSID\\InprocServer32\(Default) -stores the path of the dll file
HKCR\CLSID\\InprocServer32\ThreadingModel -"apartment"

It also creates the following registry keys to mark the presence of specific versions of this malware:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu
These keys contain the encrypted version, CLSID and install path of the malware. If an older version is detected, it is replaced by the new one.

Once registered, the dll file is loaded and executed by Internet Explorer.
When active, it downloads files from locations such as:
http://<removed>/ppc/config.php?v=17&u=2359&acln=en-us&s=about:blank
http://<removed>/ppc/config.phpchk
http://<removed>/ppc/dl_upd/upd2359-76c98742.gif

HTTP is used for the file transfer. The traffic is encrypted using custom algorithms.

The downloaded files can be new versions of the malware, or other malicious code to be executed on the infected machine.