Home / malware TrojanSpy:Win32/Bhoban
First posted on 24 August 2012.
Source: MicrosoftAliases :
TrojanSpy:Win32/Bhoban is also known as Rootkit.Win32.Agent.deob (Kaspersky), W32/Rootkit.EGEO (Norman), Rootkit.Win32.Agent (Ikarus), Mal/Spy-AE (Sophos), TROJ_SPNR.11HH12 (Trend Micro).
Explanation :
TrojanSpy:Win32/Bhoban is a malware used to set up malicious Browser Helper Objects (BHO) in an infected computer.
TrojanSpy:Win32/Bhoban may be dropped and run by other malware. When run, it checks the file name hash of the target BHO that it needs to register against the malicious BHO already in the computer. If the hashes match, TrojanSpy:Win32/Bhoban creates a registry entry for the BHO so that it automatically runs every time Internet Explorer starts by adding a registry entry in the following key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
It also hooks the RegCreateKeyExA Windows API to persistently register BHO components even if they have been disabled.
TrojanSpy:Win32/Bhoban has been known to use digital certificates with an untrusted root. If your Internet settings does not allow executables with untrusted roots to run, TrojanSpy:Win32/Bhoban may not run in your computer.
Analysis by Zarestel Ferrer
Last update 24 August 2012
