Trojan:Win32/Boaxxe.B is a Trojan that installs itself as a Browser Helper Object and may contact remote sites related to rogue anti-spyware applications.
Installation
Trojan:Win32/Boaxxe.B is installed by a dropper that installs the trojan BHO into the Windows system folder. An existing DLL on the system is first selected at random (for example dmconf.dll). Next, the Trojan writes the BHO with the same file name as the selected DLL, but with either a random letter appended, or the last letter removed (for example dmconfi.dll or dmcon.dll).
The trojan registers the dropped BHO to run when the default Web browser is run, by creating keys in the registry, as in this example:
Adds value: (default)
With data: <system folder>\<dropped BHO dll>
In subkey: HKEY_CLASSES_ROOT\SOFTWARE\Classes\CLSID\{random CLSID value}\InprocServer32
The trojan may add additional registry values with data, as in the example below.
Adds value: bf
With data: hex:9d,5d,ea,98,47,f9,a2,50,69,54,4a,3c,17,24,32,da,f3,94,44,53,ad,98,cb,3e,9a,23,bf,81,4a,fb,6a,ff,
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Adds value: bk
With data: hex:a5,5e,f2,8c,39,82,d6,59,08,2a,20,2b,2f,62,6b,8b,a8,94,44,22,8c,c7,95,6b,d3,73,e4,97,17,a4,33,c7,6f,a1,07,78,b9,4a,66,
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Payload
Modifies System Security Settings
This trojan may attempt to delete the following registry value related to the security application Spybot Search and Destroy Spyware remover:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SpybotSD TeaTimer
Downloads and Executes Arbitrary Files
The trojan contacts remote sites and downloads and executes arbitrary files, possibly including additional malware.
