Home / malwarePDF  

TrojanDropper:Win32/Henbang.A


First posted on 10 May 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Henbang.A is also known as Win-AppCare/Bho.431104 (AhnLab), ADSPY/Agent.hyz (Avira), Adware.BHO.WSE (BitDefender), not-a-virus:AdWare.Win32.Agent.hyz (Kaspersky), Adware-Henbang.dr (McAfee), W32/Agent.JVOB (Norman), Adware/BaiduBar (Panda), Troj/Agent-INK (Sophos), Adware.Agent.gen (Sunbelt Software), WORM_DROPPER.MZU (Trend Micro).

Explanation :

TrojanDropper:Win32/Henbang.A is the detection for a trojan that drops and installs other malware that displays pop-up advertisements on the compromised computer.
Top

TrojanDropper:Win32/Henbang.A is the detection for a trojan that drops and installs other malware that displays pop-up advertisements on the compromised computer. InstallationWhen run, this trojan creates a mutex named "winweb.exe€. TrojanDropper:Win32/Henbang.A drops itself in the Windows system folder as the following files:

  • <system folder>\web.dat
  • <system folder>\winweb.exe
  • Payload Drops other malware TrojanDropper:Win32/Henbang.A drops and installs additional malware in the Windows system folder as the following files:
  • <system folder>\webad.dll - Trojan:Win32/BHO.AI
  • <system folder>\iconhandle.dll - Trojan:Win32/BHO.AH
  • TrojanDropper:Win32/Henbang.A then creates the following registry subkeys to run the dropped malware as Web browser helper objects. HKLM\SOFTWARE\Classes\CLSID\<CLSID>, for example:
    HKLM\SOFTWARE\Classes\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C} The registry is modified with additional data to assist running the dropped malware. Sets value: "(default)"
    With data: "ad"
    In subkey: HKLM\SOFTWARE\Classes\AppID\{F6136F5A-4C58-40C7-8DFC-945F5570CB79} Sets value: "AppID"
    With data: "{f6136f5a-4c58-40c7-8dfc-945f5570cb79}"
    In subkey: HKLM\SOFTWARE\Classes\AppID\ad.DLL Sets value: "(default)"
    With data: "h class"
    In subkey: HKLM\SOFTWARE\Classes\ad.h.1 Sets value: "(default)"
    With data: "{73ef2588-e4d1-4623-9b45-e0bbd6b65e9c}"
    In subkey: HKLM\SOFTWARE\Classes\ad.h.1\CLSID Sets value: "(default)"
    With data: "h class"
    In subkey: HKLM\SOFTWARE\Classes\ad.h Sets value: "(default)"
    With data: "{73ef2588-e4d1-4623-9b45-e0bbd6b65e9c}"
    In subkey: HKLM\SOFTWARE\Classes\ad.h\CLSID Sets value: "(default)"
    With data: "ad.h.1"
    In subkey: HKLM\SOFTWARE\Classes\ad.h\CurVer Sets value: "(default)"
    With data: "h class"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C} Sets value: "(default)"
    With data: "ad.h.1"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\ProgID Sets value: "(default)"
    With data: "ad.h"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\VersionIndependentProgID Sets value: "(default)"
    With data: "<system folder>\webad.dll"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\InprocServer32 Sets value: "(default)"
    With data: "{5a0063a5-f6e9-4947-9d1c-9300ce1bb342}"In subkey: HKLM\SOFTWARE\Classes\CLSID\{73EF2588-E4D1-4623-9B45-E0BBD6B65E9C}\TypeLib Sets value: "(default)"
    With data: "ad 1.0 à à ðí¿Ã¢"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0
    Sets value: "(default)"
    With data: "0"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0\FLAGS Sets value: "(default)"
    With data: "<system folder>\webad.dll"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0\0\win32 Sets value: "(default)"
    With data: "%windir%\system32"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{5A0063A5-F6E9-4947-9D1C-9300CE1BB342}\1.0\HELPDIR Sets value: "(default)"
    With data: "ih"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53} Sets value: "(default)"
    With data: "{00020424-0000-0000-c000-000000000046}"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}\ProxyStubClsid Sets value: "(default)"
    With data: "{00020424-0000-0000-c000-000000000046}"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}\ProxyStubClsid32 Sets value: "(default)"
    With data: "{5a0063a5-f6e9-4947-9d1c-9300ce1bb342}"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{78D814F1-9774-4F37-B7F9-CD8F88558B53}\TypeLib Sets value: "(default)"
    With data: "iconhandle"
    In subkey: HKLM\SOFTWARE\Classes\AppID\{DD0AD1D0-6C36-4894-B38E-9E5D3392114D} Sets value: "AppID"
    With data: "{dd0ad1d0-6c36-4894-b38e-9e5d3392114d}"
    In subkey: HKLM\SOFTWARE\Classes\AppID\iconhandle.DLL Sets value: "(default)"
    With data: "seticon class"
    In subkey: HKLM\SOFTWARE\Classes\iconhandle.seticon.1 Sets value: "(default)"
    With data: "{aefa7e78-cf7e-4550-829f-2c786a0070bf}"
    In subkey: HKLM\SOFTWARE\Classes\iconhandle.seticon.1\CLSID Sets value: "(default)"
    With data: "seticon class"
    In subkey: HKLM\SOFTWARE\Classes\iconhandle.seticon Sets value: "(default)"
    With data: "{aefa7e78-cf7e-4550-829f-2c786a0070bf}"
    In subkey: HKLM\SOFTWARE\Classes\iconhandle.seticon\CLSID Sets value: "(default)"
    With data: "iconhandle.seticon.1"
    In subkey: HKLM\SOFTWARE\Classes\iconhandle.seticon\CurVer Sets value: "(default)"
    With data: "seticon class"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF} Sets value: "(default)"
    With data: "iconhandle.seticon.1"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\ProgID Sets value: "(default)"
    With data: "iconhandle.seticon"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\VersionIndependentProgID Sets value: "(default)"
    With data: "<system folder>\iconhandle.dll"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\InprocServer32 Sets value: "(default)"
    With data: "{581f1707-4ad0-4b7b-ad6e-057db8f686f3}"
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{AEFA7E78-CF7E-4550-829F-2C786A0070BF}\TypeLib Sets value: "(default)"
    With data: "{aefa7e78-cf7e-4550-829f-2c786a0070bf}"
    In subkey: HKLM\SOFTWARE\Classes\txtfile\shellEx\IconHandler Sets value: "(default)"
    With data: "iconhandle 1.0 à à ðí¿Ã¢"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0 Sets value: "(default)"
    With data: "0"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0\FLAGS Sets value: "(default)"
    With data: "<system folder>\iconhandle.dll"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0\0\win32 Sets value: "(default)"
    With data: "%windir%\system32"
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{581F1707-4AD0-4B7B-AD6E-057DB8F686F3}\1.0\HELPDIR Sets value: "(default)"
    With data: "iseticon"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{72397142-9352-4A45-99AD-2EF143072AC0} Sets value: "(default)"
    With data: "{00020424-0000-0000-c000-000000000046}"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}\ProxyStubClsid Sets value: "(default)"
    With data: "{00020424-0000-0000-c000-000000000046}"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}\ProxyStubClsid32 Sets value: "(default)"
    With data: "{581f1707-4ad0-4b7b-ad6e-057db8f686f3}"
    In subkey: HKLM\SOFTWARE\Classes\Interface\{72397142-9352-4A45-99AD-2EF143072AC0}\TypeLib

    Analysis by Wei Li

    Last update 10 May 2010

     

    TOP