Home / malware Trojan:Win32/BHO.LO
First posted on 28 September 2010.
Source: SecurityHomeAliases :
Trojan:Win32/BHO.LO is also known as W32/Tango.A.gen!Eldorado (Authentium (Comman, Adload_r.AJQ (AVG), Adware.Tango.2 (Dr.Web), Win32/Adware.Mirar.B (ESET), Trojan.Adload (Ikarus), Adware/Mirar (Panda).
Explanation :
Trojan:Win32/BHO.LO is the detection for a file downloaded by malicious files detected as TrojanDownloader:QT/Waick.B. It registers itself as a Browser Helper Object (BHO). It may gather information about the computer in which it is installed, and then send this information to a remote server.
Top
Trojan:Win32/BHO.LO is the detection for a file downloaded by malicious files detected as TrojanDownloader:QT/Waick.B. It registers itself as a Browser Helper Object (BHO). It may gather information about the computer in which it is installed, and then send this information to a remote server. Installation Trojan:Win32/BHO.LO is downloaded as "access.exe" from the website "play.mediainstaller.com" by malicious files detected as TrojanDownloader:QT/Waick.B. Once run, it creates the mutex "BAR" to allow only one instance of itself to run. It modifies the registry so that it executes every time Windows starts: In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sets value: "Bar" With data: "<malware file name>" where <malware file name> is the name that "access.exe" is downloaded as. Trojan:Win32/BHO.LO checks if it is running in a virtual machine. If it is, it displays the following message: "We're sorry, due to licensing requirements this software cannot be run in a virtual environment." It may display a message box with the following text: "Install Complete!" Trojan:Win32/BHO.LO may register itself as a Browser Helper Object (BHO) by creating a subkey in the following key: HKLM\SOFTWARE\Microsoft\Windows \CurrentVersion\Explorer\Browser Helper Objects It may also create the following registry subkey: HKLM\Software\RelatedPageInstall in which it may create the following values:Affiliate Error FirstRun Payload Modifies browser settings Trojan:Win32/BHO.LO may enable third-party tool bands and Browser Helper Objects by modifying the following registry entry: In subkey: HKCU\Software\Microsoft\Internet Explorer\Main Sets value: "Enable Browser Extensions" With data: "yes" Steals system information Trojan:Win32/BHO.LO checks what security updates and antivirus updates are installed in the operating system. It connects to the following server to report its gathered information: awbeta.net-nucleus.com
Analysis by Patrik VicolLast update 28 September 2010
