McAfee > Theat Center > Virus Detail Page

Overview

This detection is for a trojan  which acts as a BHO hooking itself to internet explorer and redirects traffic to "aiXXXel.onspXXXx.com".

Aliases

• Rootkit.Win32.Podnuha.y(Kaspersky)

• Trojan:Win32/Boaxxe.B(Microsoft)

Characteristics

When the dll is register on the victims machine, it hooks with iexplorer.exe and redirects "about:blank" to the following domain.
   "aiXXXel.onspXXXx.com". 
    "cewXXm.com"

boaxxe has following export functions:

• DllCanUnloadNow
• DllGetClassObject
• DllRegisterServer
• DllUnRegisterServer
   

Registry Keys added:

• HKEY_CLASSES_ROOT\CLSID\{150CC2DC-E554-4E79-A7FB-FB42ADC8BA8A}
• HKEY_CLASSES_ROOT\CLSID\{150CC2DC-E554-4E79-A7FB-FB42ADC8BA8A}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150CC2DC-E554-4E79-A7FB-FB42ADC8BA8A}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\volk 
•  HKEY_CLASSES_ROOT\CLSID\{E67FDE50-1867-4ACF-B42D-632D5C65892E}   \InprocServer32 "(Default)"= C:\WINDOWS\system32\cnvfa.dll

It modifies following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings

Symptoms

• Presence of above mentioned files.
• Presence of registry entries mentioned above.

Method of Infection

Unlike viruses, Trojans do not self-replicate.They spreads manually , often under the promises that executable is beneficial.This also spreads through Distribution channels like  IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This detection is for a trojan  which acts as a BHO hooking itself to internet explorer and redirects traffic to "aiXXXel.onspXXXx.com".

Aliases

• Rootkit.Win32.Podnuha.y(Kaspersky)

• Trojan:Win32/Boaxxe.B(Microsoft)

Characteristics

Characteristics -

When the dll is register on the victims machine, it hooks with iexplorer.exe and redirects "about:blank" to the following domain.
   "aiXXXel.onspXXXx.com". 
    "cewXXm.com"

boaxxe has following export functions:

• DllCanUnloadNow
• DllGetClassObject
• DllRegisterServer
• DllUnRegisterServer
   

Registry Keys added:

• HKEY_CLASSES_ROOT\CLSID\{150CC2DC-E554-4E79-A7FB-FB42ADC8BA8A}
• HKEY_CLASSES_ROOT\CLSID\{150CC2DC-E554-4E79-A7FB-FB42ADC8BA8A}\InprocServer32
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{150CC2DC-E554-4E79-A7FB-FB42ADC8BA8A}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\volk 
•  HKEY_CLASSES_ROOT\CLSID\{E67FDE50-1867-4ACF-B42D-632D5C65892E}   \InprocServer32 "(Default)"= C:\WINDOWS\system32\cnvfa.dll

It modifies following registry key:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings

Symptoms

Symptoms -

• Presence of above mentioned files.
• Presence of registry entries mentioned above.

Method of Infection

Method of Infection -

Unlike viruses, Trojans do not self-replicate.They spreads manually , often under the promises that executable is beneficial.This also spreads through Distribution channels like  IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

Removal -

Removal -

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A