Home / malwarePDF  

Trojan:Win32/Evadiped.A


First posted on 29 October 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Evadiped.A is also known as TROJ_EXEBOT.SM (Trend Micro).

Explanation :

Trojan:Win32/Evadiped.A is a trojan component that uses a web browser helper object (BHO) to deliver advertisements, redirect access of certain websites and gather private user information.
Top

Trojan:Win32/Evadiped.A is a trojan component that uses a web browser helper object (BHO) to deliver advertisements, redirect access of certain websites and gather private user information. InstallationThis BHO component is installed as the following file: %ProgramFiles%\shared\lib.dll Once run, the registry is modified to execute the dropped component when a web browser is launched. In subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Sets value: "(default)"
To data: "browser helper object" In subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32
Sets value: "(default)"
To data: = "%ProgramFiles%\shared\lib.dll" In subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib
Sets value: "(default)"
To data: "{8e3c68cd-f500-4a2a-8cb9-132bb38c3573}" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Sets value: "NoExplorer"
To data: "1" In subkey: HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
Sets value: "(default)"
To data: "browser helper object" In subkey: HKLM\SOFTWARE\Classes\AppID\main.DLL
Sets value: "AppID"
To data: "{a0e1054b-01ee-4d57-a059-4d99f339709f}" In subkey: HKLM\SOFTWARE\Classes\main.BHO.1
Sets value: "(default)"
To data: "browser helper object" In subkey: HKLM\SOFTWARE\Classes\main.BHO.1\CLSID
Sets value: "(default)"
To data: "{afd4ad01-58c1-47db-a404-fbe00a6c5486}" In subkey: HKLM\SOFTWARE\Classes\main.BHO
Sets value: "(default)"
To data: "browser helper object" In subkey: HKLM\SOFTWARE\Classes\main.BHO\CLSID
Sets value: "(default)"
To data: "{afd4ad01-58c1-47db-a404-fbe00a6c5486}" In subkey: HKLM\SOFTWARE\Classes\main.BHO\CurVer
Sets value: "(default)"
To data: "main.bho.1" Payload Redirects searches and gathers user dataWhen a web browser is launched, the trojan executes. It may monitor connections to various websites and redirect search queries, deliver advertisements and gather private user data.

Analysis by Wei Li

Last update 29 October 2010

 

TOP

Malware :

Family: