Home / malwarePDF  

Trojan:Win32/Boaxxe.E


First posted on 14 December 2009.
Source: SecurityHome

Aliases :

Trojan:Win32/Boaxxe.E is also known as Trojan-Dropper.Win32.Boaxxe.bg (Kaspersky), Trojan.DR.Boaxxe.DNG (VirusBuster), Clicker.ADNM (AVG), Win32/TrojanClicker.Delf.NHC (ESET), Trj/Boaxxe.Q (Panda), WORM_DOWNAD.GJX (Trend Micro).

Explanation :

Trojan:Win32/Boaxxe.E is a trojan that drops other malware, detected as Trojan:Win32/Boaxxe.F, in the system.
Top

Trojan:Win32/Boaxxe.E is a trojan that drops other malware in the system. Payload Drops and installs other malwareUpon execution, Trojan:Win32/Boaxxe.E drops a DLL file with a random file name in the Windows system folder. The dropped file is detected as Trojan:Win32/Boaxxe.F and is registered as a Browser Helper Object (BHO): For example, for the dropped file 'dwjvzib.dll', the CLSID used to register it as a BHO is the following:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B6FD59E-CAD7-41D3-98B8-51ACCA596EF8}
    • Trojan:Win32/Boaxxe.E also creates a scheduled task to install its dropped file every day at a specific time. The task contains the following command: rundll32.exe <system folder>\<malware file name>.dll, DllMain - It also installs its dropped file as a service. For example, the dropped file 'dwjvzib.dll' may have the service name 'Mouse Class Monitor': Adds value: "ServiceDll"
    With data: "<system folder>\dwjvzib.dll"
    To subkey: HKLM\SYSTEM\ControlSet\Services\mqxblzgd\Parameters Adds value: "ImagePath"
    With data: "%SystemRoot%\System32\svchost.exe -k netsvcs"
    Adds value: "Description"
    With data: "Monitor for Mouse Class"
    Adds value: "DisplayName"
    With data: "Mouse Class Monitor"
    To subkey: HKLM\SYSTEM\ControlSet\Services\mqxblzgd Trojan:Win32/Boaxxe.E also ensures that its dropped file is loaded to the 'Winlogon' process by creating a registry subkey and entries, for example: Adds value: "DLLName"
    With data: "dwjvzib.dll"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ovmpvnzn

    Analysis by Marian Radu

    Last update 14 December 2009

     

    TOP

    Malware :

    Family: