Home / malwarePDF  

Trojan.Boaxxe.C


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Boaxxe.C is also known as Trojan:Win32/Boaxxe.B, (OneCare.

Explanation :

When run, the malware registers itself as a Browser Helper Object by creating the following registry keys:
HKCRCLSID\InprocServer32(Default) -stores the path of the dll file
HKCRCLSID\InprocServer32ThreadingModel -"apartment"

It also creates the following registry keys to mark the presence of specific versions of this malware:
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsk
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsk
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsiu
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsmu
These keys contain the encrypted version, CLSID and install path of the malware. If an older version is detected, it is replaced by the new one.

Once registered, the dll file is loaded and executed by Internet Explorer.
When active, it downloads files from locations such as:
http://<removed>/ppc/config.php?v=17&u=2359&acln=en-us&s=about:blank
http://<removed>/ppc/config.phpchk
http://<removed>/ppc/dl_upd/upd2359-76c98742.gif

HTTP is used for the file transfer. The traffic is encrypted using custom algorithms.

The downloaded files can be new versions of the malware, or other malicious code to be executed on the infected machine.

Last update 21 November 2011

 

TOP

Malware :