Follow:

 

Trojan:Win32/Bohu.A!Installer


Trojan:Win32/Bohu.A!Installer writes random data into the end of its dropped files to avoid detection based on their hashes.
 
It installs an NDIS intermediate miniport driver and Windows Sockets service provider interface (SPI) to filter network access. It does this to prevent client programs from uploading data to a remote server.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products will detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Bohu.A!Installer writes random data into the end of its dropped files to avoid detection based on their hashes.
 
It installs an NDIS intermediate miniport driver and Windows Sockets service provider interface (SPI) to filter network access. It does this to prevent client programs from uploading data to a remote server.
Installation
Trojan:Win32/Bohu.A!Installer is installed by TrojanDropper:Win32/Bohu.A.
Payload
Drops and installs other malware
Trojan:Win32/Bohu.A!Installer drops the following files:
 
 
It then appends random data to these files to avoid hash-based detection.
 
Trojan:Win32/Bohu.A!Installer then copies "newnetgar.dll" as "<system folder>\nethome32.dll",and registers it so that it automatically executes at every Windows start:
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetHomeIDE
Sets value: "ImagePath"
With data: "%SystemRoot%\system32\svchost.exe -k mysysgroup3"
 
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetHomeIDE\Parameters
Sets value: "ServiceDll"
With data: "<system folder>\nethome32.dll"
 
Trojan:Win32/Bohu.A!Installer also creates the folder "<system folder>\netplayone". It copies "spass.dll" into this folder as "<system folder>\netplayone\netplayone.dll".
 
Analysis by Jingli Li

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • siglow.dll
    • siglow.sys
    • newnetgar.dll
    • spass.dll
    • dsetup.exe
    • nethome32.dll
    • netplayone.dll
  • The presence of the following registry modifications:
  • In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetHomeIDE
    Value: "ImagePath"
    With data: "%SystemRoot%\system32\svchost.exe -k mysysgroup3"
     
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\NetHomeIDE\Parameters
    Value: "ServiceDll"
    With data: "<system folder>\nethome32.dll"

Prevention


Alert level: Severe
First detected by definition: 1.95.3262.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jan 05, 2011
This entry was first published on: Jan 05, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Trojan.Win32.Goriadu.ael (Kaspersky)
  • Win32/AntiAV.NGZ (ESET)
  • Trojan.Win32.AntiCloudAV.n (Rising AV)
  • Mal/Emogen-Y (Sophos)
  • TROJ_GORIADU.SMC (Trend Micro)