TrojanDropper:Win32/BHO.F is a detection for variants of a trojan that installs TrojanSpy:Win32/Ambler.F as a Web Browser Helper Object (BHO).
Installation
When TrojanDropper:Win32/BHO.F is run, it drops an encrypted text file and a trojan (detected as TrojanSpy:Win32/Ambler.F) in the Windows system folder. The name of the file dropped differs among variants and is hardcoded within the trojan dropper. The following examples are filenames that have been used by this trojan in the wild:
<system folder>\haskel32.dll
<system folder>\xmd.dat
<system folder>\bsn32.dll
<system folder>\csm.txt
<system folder>\bsndcom.dll
<system folder>\dlp.txt
<system folder>\lbbd32.dll
<system folder>\mvx.dat
The trojan dropper will modify the registry to load Win32/Ambler.F at each Windows start, as in the following examples (which differ among variants):
Adds value: "(default)"
With data: "rmn plugin"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}
Adds value: "(default)"
With data: "lbbd32.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}\InprocServer32
Adds value: "(default)"
With data: "ritlab.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}\ProgID
Adds value: "(default)"
With data: "{b15c9c30-55d0-40a7-8435-4827b3f1f62e}"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}\TypeLib
Adds value: "Add"
With data: "g}}xrwr~.}}"
To subkey: HKLM\Software\MRSoft
The trojan dropper enables Web browser extensions by modifying the following registry entry:
Modifies value: "Enable Browser Extensions"
With data: "yes"
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Payload
Deletes Files
TrojanDropper:Win32/BHO.F may delete the following files from the Windows system folder:
di1.gif
dr1.gif
cookie1.dat
boa1.dat
cs.dat
bb1.dat
ps1.dat
rc.dat
tb.dr
Additional Information
TrojanDropper:Win32/BHO.F attempts to delete itself using a shell command instruction.
Analysis by Patrik Vicol
