McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a trojan dropper which tries to drop a Dll in %system% directory and registers it. Unlike viruses, trojans do not self-replicate. They spread manually, often under the promises of that executable being beneficial. This also spreads through distribution channels like IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Aliases

• Trojan.Boaxxe.K (SOFTWIN)

• Trojan.Win32.Pakes.jvm (Kaspersky)

• TrojanDropper:Win32/Boaxxe.D (Microsoft)

Characteristics

When the executable is run on the victim machine, it Drops Following file :

• %system%\%s.dll (This dll is registered,it's a BHO and detected as Boaxxe.dll (87kb))

(where %system% = C:\Windows\System for Windows 95/98/Me
  or, C:\Winnt\System32 for Windows NT/2000
  or, C:\Windows\System32 for Windows XP)

%s.dll indicates that this dll name varies for every execution. It can take any of following names:
ad.dll
cnvfa.dll
cmprop.dll etc.,

Registry Keys added:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E67FDE50-1867-4ACF-B42D-632D5C65892E}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E67FDE50-1867-4ACF-B42D-632D5C65892E}

Trojan adds inprocserver32 for that dropped dll and sets as single thread apartment.

• HKEY_CLASSES_ROOT\CLSID\{E67FDE50-1867-4ACF-B42D-632D5C65892E}\InprocServer32 "(Default)" = C:\WINDOWS\system32\cnvfa.dll

It modifies following registry key:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings

Symptoms

• Presence of above mentioned files.
• Presence of registry entries mentioned above.

Method of Infection

Unlike viruses, trojans do not self-replicate. They spread manually, often under the promises of that executable being beneficial. This also spreads through distribution channels like IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a trojan dropper which tries to drop a Dll in %system% directory and registers it. Unlike viruses, trojans do not self-replicate. They spread manually, often under the promises of that executable being beneficial. This also spreads through distribution channels like IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Aliases

• Trojan.Boaxxe.K (SOFTWIN)

• Trojan.Win32.Pakes.jvm (Kaspersky)

• TrojanDropper:Win32/Boaxxe.D (Microsoft)

Characteristics

Characteristics -

When the executable is run on the victim machine, it Drops Following file :

• %system%\%s.dll (This dll is registered,it's a BHO and detected as Boaxxe.dll (87kb))

(where %system% = C:\Windows\System for Windows 95/98/Me
  or, C:\Winnt\System32 for Windows NT/2000
  or, C:\Windows\System32 for Windows XP)

%s.dll indicates that this dll name varies for every execution. It can take any of following names:
ad.dll
cnvfa.dll
cmprop.dll etc.,

Registry Keys added:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E67FDE50-1867-4ACF-B42D-632D5C65892E}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E67FDE50-1867-4ACF-B42D-632D5C65892E}

Trojan adds inprocserver32 for that dropped dll and sets as single thread apartment.

• HKEY_CLASSES_ROOT\CLSID\{E67FDE50-1867-4ACF-B42D-632D5C65892E}\InprocServer32 "(Default)" = C:\WINDOWS\system32\cnvfa.dll

It modifies following registry key:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings

Symptoms

Symptoms -

• Presence of above mentioned files.
• Presence of registry entries mentioned above.

Method of Infection

Method of Infection -

Unlike viruses, trojans do not self-replicate. They spread manually, often under the promises of that executable being beneficial. This also spreads through distribution channels like IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A