Trojan.Boaxxe.D
MEDIUM
VERY LOW
~135KB
(TrojanDropper:Win32/Boaxxe.D
Win32.Podnuha.dl)
Symptoms
When infected, Internet Explorer can display message boxes showing fake warnings and recommending the installation of some rogue antispyware software.
Regardless of the user's option, Internet Explorer then opens the download site for the afore mentioned software.
Removal instructions:
Please let BitDefender disinfect your files.
Analyzed By
Sorin Ciorceri, virus researcher
Technical Description:
At execution he will drop a dll file in %WINDIR%\system32\ with a name like other dll in that directory with the difference that this name hasn't the last letter of the original dll name.
For example: if he choose "advpack.dll" from %WINDIR%\system32\ then he will drop a dll with name "advpac.dll"Then malware register itself as a BHO (Browser Helper Object) by creating the following registry key with a random CLSID:
HKCR\CLSID\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\InprocServer32(Default)="path to the dll file"
It also creates the following registry keys to mark the presence of specific versions of this malware:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\muThese keys contain the encrypted version, CLSID and install path of the malware. If an older version is detected, it is replaced by the new one.
On Internet Explorer execution the dll file is loaded and the following links are accessed:
http://
All the traffic is encrypted and server sends in header of all replies:
SHARE
THIS ON