Win32/BHO [Threat Name] go to Threat

Win32/BHO.ODE [Threat Variant Name]

Category trojan
Size 341504 B
Detection created Jul 27, 2011
Detection database version 6329
Aliases Trojan.MulDrop2.50606 (Dr.Web)
Short description

Win32/BHO.ODE is a trojan that changes results of online search engines.

Installation

When executed, the trojan creates the following files:

  • %folder%\­%variable1%.exe (40960 B)
  • %folder%\­%variable2%.dll (229376 B)
  • %folder%\­%variable3%.dll (57344 B)
  • %folder%\­c_%variable4%.nls (224 KB)
  • %folder%\­c_%variable5%.nls (397 B)
  • %folder%\­c_%variable6%.nls (413 B)
  • %folder%\­c_%variable7%.nls (411 B)
  • %folder%\­c_%variable8%.nls (4092 B)
  • %folder%\­%variable9%\­inf%variable9%.dat

The %folder% is one of the following strings:

  • %windir%\­SysWow64
  • %system%

A string with variable content is used instead of %variable1-9% .


The trojan schedules a task that causes the following file to be executed repeatedly:

  • %folder%\­%variable1%.exe (40960 B)

The trojan registers the file "%folder%\%variable2%.dll" as a BHO module in Internet Explorer .


The following names are used:

  • Groove GFS Browser Helper
  • Windows Live ID Sign-in Helper
  • Groove Folder Synchronization
  • Adobe PDF Link Helper
  • Java(tm) Plug-In 2 SSV Helper

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion]
    • "RegistrationID" = "%hexvalue%"
Other information

Win32/BHO.ODE is a trojan that changes results of online search engines.


The following services are affected:

  • Google
  • Facebook
  • Bing
  • Yahoo
  • AOL
  • Wikipedia
  • Twitter

The trojan can send various information to a remote machine over the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.