Win32/Boaxxe [Threat Name] go to Threat
Win32/Boaxxe.C [Threat Variant Name]
| Category | trojan |
| Size | 385024 B |
| Aliases | Trojan:Win32/Entebore.gen!A (Microsoft) |
| Variant.Barys.1963 (BitDefender) |
Short description
Win32/Boaxxe.C is a trojan that redirects results of online search engines to web sites that contain adware. The trojan sends requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.
Installation
The trojan is usually a part of other malware.
The trojan is usually found in the following folder:
- %temp%
When executed, the trojan creates the following folders:
- %localappdata%\%variable%
A string with variable content is used instead of %variable% .
The trojan moves the following files (source, destination):
- %temp%\%malwarefilename%, %localappdata%\%variable%\%malwarefilename%
Libraries with the following names are injected into all running processes:
- %localappdata%\%variable%\%malwarefilename%
The following Registry entries are created:
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "%variable%" = "rundll32.exe "%localappdata%\%variable%\%malwarefilename%",SuspendHelperLayer"
This way the trojan ensures that the file is executed on every system start.
The trojan executes the following files:
- %localappdata%\%variable%\%malwarefilename%
Information stealing
The trojan collects the following information:
- user name
- computer name
- disk serial number (without spaces)
- a list of recently visited URLs
- cookies
Other information
Win32/Boaxxe.C is a trojan that redirects results of online search engines to web sites that contain adware.
When the user enters certain keywords into the browser, the trojan displays adware websites related to them.
The trojan affects the behavior of the following applications:
- Google Chrome
- Microsoft Internet Explorer
- Mozilla Firefox
The trojan hooks the following Windows APIs:
- CreateFileW (kernel32.dll)
- CreateWindowExW (user32.dll)
- DirectSoundCreate (dsound.dll)
- DllGetClassObject (dmusic.dll)
- GetFileAttributesW (kernel32.dll)
- GetFileAttributesExW (kernel32.dll)
- HttpAddRequestHeadersA (wininet.dll)
- LoadResource (kernel32.dll)
- LockResource (kernel32.dll)
- midMessage (wdmaud.drv)
- modMessage (wdmaud.drv)
- send (ws2_32.dll)
- SizeofResource (kernel32.dll)
- waveOutOpen (winmm.dll)
- widMessage (wdmaud.drv)
- wodMessage (wdmaud.drv)
- WSASend (ws2_32.dll)
The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc. The trojan contains a list of (541) URLs.
The trojan quits immediately if it detects a running process containing one of the following strings in its name:
- avp.exe