Win32/Boaxxe [Threat Name] go to Threat

Win32/Boaxxe.BE [Threat Variant Name]

Category trojan
Size 53248 B
Detection created Nov 13, 2013
Detection database version 9322
Aliases Trojan.Zbot (Symantec)
  Trojan.Win32.Inject.gxwj (Kaspersky)
  TR/Dropper.VB.5871 (Avira)
Short description

Win32/Boaxxe.BE is a trojan that redirects results of online search engines to web sites that contain adware. The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

The trojan does not create any copies of itself.


The trojan is usually a part of other malware.


The trojan is usually found in the following folder:

  • %temp%

In order to be executed on every system start, the modifies the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • %variable1% = "%malwarefilepath%"

It downloads the other part of the infiltration. The trojan contains a list of URLs. The HTTP protocol is used.


The downloaded files contain encrypted executables.


These are stored in the following locations:

  • %localappdata%\­%variable2%%variable3%\­%variable4%

A string with variable content is used instead of %variable1-2%,%variable4-7% .


The %variable3% is one of the following strings:

  • works
  • tion
  • soft
  • ics
  • media
  • Pack

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%%variable3%" = "regsvr32.exe "%localappdata%\­%variable2%%variable3%\­%variable4%""

This causes the trojan to be executed on every system start.


The trojan executes the following command:

  • regsvr32.exe "%localappdata%\­%variable2%%variable3%\­%variable4%"

The following Registry entry is deleted:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­RunOnce]
    • %variable1% = "%malwarefilepath%"

The trojan is a malicious Google Chrome extension/plugin.


The following files are dropped into the %localappdata%\Google\Chrome\User Data\Default\%variable5%\6.0.4 folder:

  • manifest.json (531 B)
  • background.js (11173 B)
  • content.js (128 B)

The trojan modifies the following file:

  • %localappdata%\­Google\­Chrome\­User Data\­Default\­Preferences

The trojan is a malicious Mozilla Firefox extension/plugin.


The following files are dropped into the %appdata%\Mozilla\Firefox\Profiles\%variable6%.default\extensions\%variable7%\ folder:

  • chrome.manifest (265 B)
  • install.rdf (635 B)
  • components\­ColorBvrClass.js (15381 B)

The trojan modifies the following file:

  • %appdata%\­Mozilla\­Firefox\­Profiles\­%variable6%.default\­extensions.sqlite
Information stealing

The trojan collects the following information:

  • operating system version

The trojan attempts to send gathered information to a remote machine.

Other information

Win32/Boaxxe.BE is a trojan that redirects results of online search engines to web sites that contain adware.


When the user enters certain keywords into the browser, the trojan displays adware websites related to them.


The trojan affects the behavior of the following applications:

  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Please enable Javascript to ensure correct displaying of this content and refresh this page.