Follow:

 

Trojan:Win32/BHO.BT


Trojan:Win32/BHO.BT is a DLL file that acts as a Browser Helper Object (BHO). It functions as a search engine for the browser.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Threat behavior

Trojan:Win32/BHO.BT is a DLL file that acts as a Browser Helper Object (BHO). It functions as a search engine for the browser.
Installation
Upon installation, Trojan:Win32/BHO.BT may arrive as a DLL file with a random file name. It may create the following registry subkeys and entries to register itself as a Browser Helper Object (BHO):
 
Adds subkeys:
HKCR\BHO.PSHelper
HKCR\AppID\{055069F3-F78B-4BD1-A277-FE66648D3300}
HKCR\CLSID\{F0626A63-410B-45E2-99A1-3F2475B2D695}
HKCR\Interface\{45D59156-647B-4B06-B20E-0E297A1077BD}
HKCR\Interface\{BE990A32-C2EC-4654-8FD0-26FECEA81998}
HKCR\TypeLib\{3088C799-9630-4719-A471-4544D7CABC2D}
 
Adds value: "@"
With data: "Search Assistant"
To subkey: HKCR\BHO.PSHelper
 
Adds value: "@"
With data: "{F0626A63-410B-45E2-99A1-3F2475B2D695}"
To subkey: HKCR\BHO.PSHelper\CLSID
 
Adds value: "AppID"
With data: "{055069F3-F78B-4BD1-A277-FE66648D3300}"
To subkey: HKCR\AppID\BHO.DLL
 
Adds subkey: "@"
With data: "_IPSHelperEvents"
To subkey: HKCR\Interface\{45D59156-647B-4B06-B20E-0E297A1077BD}
 
Adds subkey: "@"
With data: "IPSHelper"
To subkey: HKCR\Interface\{BE990A32-C2EC-4654-8FD0-26FECEA81998}
 
Adds subkeys:
HKLM\SOFTWARE\Classes\BHO.PSHelper
HKLM\SOFTWARE\Classes\AppID\{055069F3-F78B-4BD1-A277-FE66648D3300}
HKLM\SOFTWARE\Classes\CLSID\{F0626A63-410B-45E2-99A1-3F2475B2D695}
HKLM\SOFTWARE\Classes\Interface\{45D59156-647B-4B06-B20E-0E297A1077BD}
HKLM\SOFTWARE\Classes\Interface\{BE990A32-C2EC-4654-8FD0-26FECEA81998}
HKLM\SOFTWARE\Classes\TypeLib\{3088C799-9630-4719-A471-4544D7CABC2D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0626A63-410B-45E2-99A1-3F2475B2D695}
 
Adds subkey: "AppID"
With data: "{055069F3-F78B-4BD1-A277-FE66648D3300}"
To subkey: HKLM\SOFTWARE\Classes\AppID\BHO.DLL
 
Adds subkey: "@"
With data: "BHO"
To subkey: HKLM\SOFTWARE\Classes\AppID\{055069F3-F78B-4BD1-A277-FE66648D3300}
 
Adds subkey: "@"
With data: "Search Assistant"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{F0626A63-410B-45E2-99A1-3F2475B2D695}
 
Adds subkey: "@"
With data: "_IPSHelperEvents"
To subkey: HKLM\SOFTWARE\Classes\Interface\{45D59156-647B-4B06-B20E-0E297A1077BD}
 
Adds subkey: "@"
With data: "IPSHelper"
To subkey: HKLM\SOFTWARE\Classes\Interface\{BE990A32-C2EC-4654-8FD0-26FECEA81998}
Payload
Shows search results from a certain Web site
 
When Trojan:Win32/BHO.BT is installed, searches are conducted using the following Web site:
 
fastbrowsersearch.com
 
Analysis by Francis Allan Tan Seng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following subkeys:
    HKCR\BHO.PSHelper
    HKCR\AppID\{055069F3-F78B-4BD1-A277-FE66648D3300}
    HKCR\CLSID\{F0626A63-410B-45E2-99A1-3F2475B2D695}
    HKCR\Interface\{45D59156-647B-4B06-B20E-0E297A1077BD}
    HKCR\Interface\{BE990A32-C2EC-4654-8FD0-26FECEA81998}
    HKCR\TypeLib\{3088C799-9630-4719-A471-4544D7CABC2D}
    HKLM\SOFTWARE\Classes\BHO.PSHelper
    HKLM\SOFTWARE\Classes\AppID\{055069F3-F78B-4BD1-A277-FE66648D3300}
    HKLM\SOFTWARE\Classes\CLSID\{F0626A63-410B-45E2-99A1-3F2475B2D695}
    HKLM\SOFTWARE\Classes\Interface\{45D59156-647B-4B06-B20E-0E297A1077BD}
    HKLM\SOFTWARE\Classes\Interface\{BE990A32-C2EC-4654-8FD0-26FECEA81998}
    HKLM\SOFTWARE\Classes\TypeLib\{3088C799-9630-4719-A471-4544D7CABC2D}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0626A63-410B-45E2-99A1-3F2475B2D695}

Prevention


Alert level: Severe
First detected by definition: 1.67.841.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 15, 2009
This entry was first published on: Oct 29, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/BHO.TEU (Norman)
  • Adware.BHO.YFO (VirusBuster)