| Malware name | Trojan.BHO.QW | | Type | Trojan | | Affected platform | Win32 | | Media-Type | application/executable | | MD5 checksum | 7DF0DFA167427D02E1C261BB6FE60848 | | Static file | no | | Filesize | 66,624 Bytes | Alias names
(also known as) | | Sophos | Troj/Virtum-Gen | | McAfee | Vundo.gen.a | | CA ETrust | Win32/Darksma!generic |
| | Side effects | Registry modification | | Propagation | No own spreading routine |
|
Description:
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "leedkennddulqs"="%SYSDIR%\regsvr32.exe /s \"
%malware execution directory%\
%malware dll%\""
– [HKCR\CLSID\{8A59D4D5-295D-9AF5-C3FA-7CF5E368BC8F}\InProcServer32]
• "ThreadingModel"="Apartment"
• @="
%malware execution directory%\
%malware dll%"
It registers a browser helper object (BHO) by adding the following key:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{8A59D4D5-295D-9AF5-C3FA-7CF5E368BC8F}]
• "NoExplorer"=dword:00000001
The following registry key is added:
– [HKCR\CLSID\{8A59D4D5-295D-9AF5-C3FA-7CF5E368BC8F}]
• @="addestination browser enhancer"
File details
Programming language:
The malware program was written in MS Visual C++.
