Trojan:Win32/Conhook is a family of Trojans that installs themselves as Browser Helper Objects (BHOs), and connects to the Internet without user consent. They also terminate specific security services, and download additional malware to the computer.
Installation
Trojan:Win32/Conhook is installed by another executable. The installer program creates a dynamic link library (DLL) with a randomly generated file name in the Windows system folder, and also modifies the registry to load the DLL whenever a Web browser application is launched.
The Trojan installer may create the following registry keys (for example):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\zxc
Trojan:Win32/Conhook may make further modifications to the registry, as illustrated in the examples below (where specific Class IDs, keys, values and data/file names will differ among variants and specific instances):
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0022F2A-1E0A-47D6-9B97-6EA471031820}InprocServer32\<value> = "<system folder>\<random file name>.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B0022F2A-1E0A-47D6-9B97-6EA471031820}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon\Notify\<key>
These changes may be made to register the DLL as a BHO, and to register the DLL as a Winlogon notification package.
The trojan may also make another change where the DLL is loaded by each running process. All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs = "<system folder>\<random file name>.dll"
Payload
Downloads and Executes Arbitrary Files
This Trojan injects its code into winlogon.exe and explorer.exe running processes, and creates remote threads in each. Trojan:Win32/Conhook then listens for connections on UDP port 3012.
Trojan:Win32/Conhook may connect to a remote Web site with IP address 83.149.105.223, using TCP port 80. This Trojan may attempt to download additional malware onto the infected computer.
Trojan:Win32/Conhook may terminate the processes "AD-AWARE.EXE" or "GCASSERVALERT.EXE" if they are running in memory.