Win32/Boaxxe [Threat Name] go to Threat

Win32/Boaxxe.C [Threat Variant Name]

Category trojan
Size 385024 B
Detection created Mar 26, 2012
Detection database version 7001
Aliases Trojan:Win32/Entebore.gen!A (Microsoft)
  Variant.Barys.1963 (BitDefender)
Short description

Win32/Boaxxe.C is a trojan that redirects results of online search engines to web sites that contain adware. The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

The trojan is usually a part of other malware.


The trojan is usually found in the following folder:

  • %temp%

When executed, the trojan creates the following folders:

  • %localappdata%\­%variable%

A string with variable content is used instead of %variable% .


The trojan moves the following files (source, destination):

  • %temp%\­%malwarefilename%, %localappdata%\­%variable%\­%malwarefilename%

Libraries with the following names are injected into all running processes:

  • %localappdata%\­%variable%\­%malwarefilename%

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%" = "rundll32.exe "%localappdata%\­%variable%\­%malwarefilename%",SuspendHelperLayer"

This way the trojan ensures that the file is executed on every system start.


The trojan executes the following files:

  • %localappdata%\­%variable%\­%malwarefilename%
Information stealing

The trojan collects the following information:

  • user name
  • computer name
  • disk serial number (without spaces)
  • a list of recently visited URLs
  • cookies
Other information

Win32/Boaxxe.C is a trojan that redirects results of online search engines to web sites that contain adware.


When the user enters certain keywords into the browser, the trojan displays adware websites related to them.


The trojan affects the behavior of the following applications:

  • Google Chrome
  • Microsoft Internet Explorer
  • Mozilla Firefox

The trojan hooks the following Windows APIs:

  • CreateFileW (kernel32.dll)
  • CreateWindowExW (user32.dll)
  • DirectSoundCreate (dsound.dll)
  • DllGetClassObject (dmusic.dll)
  • GetFileAttributesW (kernel32.dll)
  • GetFileAttributesExW (kernel32.dll)
  • HttpAddRequestHeadersA (wininet.dll)
  • LoadResource (kernel32.dll)
  • LockResource (kernel32.dll)
  • midMessage (wdmaud.drv)
  • modMessage (wdmaud.drv)
  • send (ws2_32.dll)
  • SizeofResource (kernel32.dll)
  • waveOutOpen (winmm.dll)
  • widMessage (wdmaud.drv)
  • wodMessage (wdmaud.drv)
  • WSASend (ws2_32.dll)

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. The trojan contains a list of (541) URLs.


The trojan quits immediately if it detects a running process containing one of the following strings in its name:

  • avp.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.