Follow:

 

Trojan:Win32/Boaxxe


Trojan:Win32/Boaxxe is a family of trojans that install themselves as Browser Helper Objects (BHO). A file detected as Trojan:Win32/Boaxxe may contact remote websites to download and execute arbitrary files.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Boaxxe is a family of trojans that install themselves as Browser Helper Objects (BHO). A file detected as Trojan:Win32/Boaxxe may contact remote websites to download and execute arbitrary files.
Installation
Trojan:Win32/Boaxxe installs itself as a BHO using a randomly generated file name consisting of letters, for example:
 
  • sytxvusi.dll
  • mlqjzzp.dll
  • bnwrueu.dll
 
The trojan registers itself as a BHO by creating keys in the registry, such as the following:
 
Adds value: "(default)"
With data: "<malware file name>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{random CLSID value}\InprocServer32
 
Adds value: "(default)"
With data: 0
To subkey: HKLM\SOFTWARE\Classes\<random letters>
 
Adds value: "ImagePath"
With data: "%windir%\system32\svchost.exe -k netsvcs",
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\<random letters>
 
Trojan:Win32/Boaxxe may also install itself as a randomly-named system service.
 
Adds value: "ServiceDll"
With data: "<malware file name>"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\<random letters>\Parameters
 
Trojan:Win32/Boaxxe also creates a scheduled task to run itself every day at a specific time. The task contains the following command:
 
rundll32.exe <malware file name>, DllMain -
Payload
Downloads and executes arbitrary files
Trojan:Win32/Boaxxe contacts remote websites and downloads and executes arbitrary files, possibly including additional malware.
 
Analysis by Jireh Sanico

Symptoms

Alert notifications or detections of this malware from installed antivirus or security software may be the only other symptoms.

Prevention


Alert level: Severe
First detected by definition: 1.71.1473.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Dec 29, 2009
This entry was first published on: Aug 31, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Agent.eysx (Kaspersky)
  • Trojan.Inject.2 (Dr.Web)
  • Trojan.Win32.Boaxxe (Ikarus)
  • Trj/Agent.NYO (Panda)
  • Trojan.Win32.Generic.522ABAD8 (Rising AV)