Home / malwarePDF  

Trojan.Boaxxe.D


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Boaxxe.D is also known as TrojanDropper:Win32/Boaxxe.D Win32.Podnuha.dl.

Explanation :

At execution he will drop a dll file in %WINDIR%system32 with a name like other dll in that directory with the difference that this name hasn't the last letter of the original dll name.

For example: if he choose "advpack.dll" from %WINDIR%system32 then he will drop a dll with name "advpac.dll"

Then malware register itself as a BHO (Browser Helper Object) by creating the following registry key with a random CLSID:
HKCRCLSID{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}InprocServer32(Default)="path to the dll file"
It also creates the following registry keys to mark the presence of specific versions of this malware:
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsk HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsk HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Settingsiu HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser SettingsmuThese keys contain the encrypted version, CLSID and install path of the malware. If an older version is detected, it is replaced by the new one.

On Internet Explorer execution the dll file is loaded and the following links are accessed:
http:///ppc/config.phpchk http:///ppc/config.php?v=18&u=2868&acln=en-us&s=about:blank&sch=n
All the traffic is encrypted and server sends in header of all replies:
"Content-Type: image/gif"maybe to fool firewalls and other intrusion detection systems that server sends just a picture.

Last update 21 November 2011

 

TOP