Threat behavior
Trojan:Win32/Boaxxe.C is a Browser Helper Object (BHO) that is used to download and execute arbitrary files.
Installation
Trojan:Win32/Boaxxe.C is installed by a dropper that installs the trojan BHO into the Windows system folder. An existing DLL on the system is first selected at random (for example dmconf.dll). Next, the Trojan writes the BHO with the same file name as the selected DLL, but with either a random letter appended, or the last letter removed (for example dmconfi.dll or dmcon.dll).
The trojan registers the dropped BHO to run when the default Web browser is run, by creating keys in the registry, as in this example:
Adds value: (default)
With data: <system folder>\comrep.dll
In subkey: HKEY_CLASSES_ROOT\SOFTWARE\Classes\CLSID\
{B4EB0A3C-FDCE-47A8-82CF-6EBEA5FB2BEA}\InprocServer32
Payload
Downloads and Executes Arbitrary Files
The trojan contacts remote sites and downloads and executes arbitrary files, possibly including additional malware. The trojan has been observed to contact the following domains when downloading files:
Prevention
