Threat behavior
Trojan:Win32/BHO.BO is a trojan Web browser helper object (BHO) used to deliver advertisements, redirect access of certain Web sites and gather private user information.
Installation
This trojan may be installed by other malware such as a trojan dropper and could have any file name. In the wild, Trojan:Win32/BHO.BO may be present as the following:
<system folder>\lib.dll
The registry is modified to run the trojan as a BHO when a Web browser is launched.
Adds value: "(default)"
With data: "browser helper object"
To subkey: HKLM\SOFTWARE\Classes\AppID\U+)+A0E1054B-01EE-4D57-A059-4D99F339709FU+)-
Adds value: "AppID"
With data: "u+)+a0e1054b-01ee-4d57-a059-4d99f339709fu+)-"
To subkey: HKLM\SOFTWARE\Classes\AppID\main.DLL
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Adds value: "(default)"
With data: "browser helper object"
To subkey: HKLM\SOFTWARE\Classes\main.BHO.1
Adds value: "(default)"
With data: "{afd4ad01-58c1-47db-a404-fbe00a6c5486}"
To subkey: HKLM\SOFTWARE\Classes\main.BHO.1\CLSID
Adds value: "(default)"
With data: "browser helper object"
To subkey: HKLM\SOFTWARE\Classes\main.BHO
Adds value: "(default)"
With data: "{afd4ad01-58c1-47db-a404-fbe00a6c5486}"
To subkey: HKLM\SOFTWARE\Classes\main.BHO\CLSID
Adds value: "(default)"
With data: "main.bho.1"
To subkey: HKLM\SOFTWARE\Classes\main.BHO\CurVer
Adds value: "(default)"
With data: "browser helper object"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Adds value: "(default)"
With data: "main.bho.1"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\ProgID
Adds value: "(default)"
With data: "main.bho"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\VersionIndependentProgID
Adds value: "(default)"
With data: "<path and the name of Trojan:Win32/BHO.BO>"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\InprocServer32
Adds value: "(default)"
With data: "{8e3c68cd-f500-4a2a-8cb9-132bb38c3573}"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}\TypeLib
Adds value: "(default)"
With data: "mainlib"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0
Adds value: "(default)"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\FLAGS
Adds value: "(default)"
With data: "<path and the name of Trojan:Win32/BHO.BO>"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\0\win32
Adds value: "(default)"
With data: "<current folder>\"
To subkey: HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}\1.0\HELPDIR
Adds value: "(default)"
With data: "ibho"
To subkey: HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Adds value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid
Adds value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\ProxyStubClsid32
Adds value: "(default)"
With data: "{8e3c68cd-f500-4a2a-8cb9-132bb38c3573}"
To subkey: HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}\TypeLib
Payload
Delivers advertisements
When a Web browser is launched, the trojan executes. It may monitor connections to various websites and redirect search queries, deliver advertisements and gather private user data.
Analysis by Oleg Petrovsky
Prevention