Trojan.Win32.BHO

1. What is the Trojan.Win32.BHO

Trojan.Win32.BHO is installed through a devious exploit and deceives the user by downloading other harmful malware onto the infected computer. Trojan.Win32.BHO can download adware, spyware and other malware from various servers and sources on the Internet. Other symptoms include opening illicit network connections, self-mutation and the ability to disable weak software security. Other risks which may prove detrimental to the computer user include the transmission of personal information without the user's consent. Trojan.Win32.BHO can severely degrade the performance of your computer and should be executed immediately.

2.Technical Details:

a. The following files were created in the system:

No.	Filename	Size
1	c:\DelUS.bat	124 bytes
2	%AppData%\InfoBoan_business_s.exe	1,277,952 bytes
3	%AppData%\rushmore\rushmore.exe	397,312 bytes

Note:
- %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.

The following directory was created:
- %AppData%\rushmore

b. Memory Modifications

There was a new process created in the system:

Process Name	Main Module Size
%AppData%\rushmore\rushmore.exe	413,696 bytes

c. Registry Modifications

The following Registry Key was created:
- HKEY_LOCAL_MACHINE\SOFTWARE\rushmore

The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  - rushmore = "%AppData%\rushmore\rushmore.exe"
  so that rushmore.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\rushmore]
  - version = "20101018"
  - today = "101022"

d. Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
115.68.0.16	80
115.68.7.78	80

The data identified by the following URLs was then requested from the remote web server:
- http://001100.co.kr/count/insert.php?pid=rushmore&kind=1
- http://001100.co.kr/module/rushmore/update.php
- http://111000.co.kr/module/rushmore/update.php
- http://000111.co.kr/module/rushmore/update.php
- http://000111.co.kr/count/insert.php?pid=rushmore&kind=4
- http://down.infoboan.co.kr/install/partner/InfoBoan_business_s.exe

3. How-to's

a. How to prevent the Trojan.Win32.BHO ?

Please update the policy basic knowledge of Sax2 in time, Once Ax3soft sax2 detects the communication of these trojans, it will break them and ensure your network & business security.

b. How to Remove the Trojan.Win32.BHO Manually?

Step 1 : Stop the following Trojan.Win32.BHO processes
%AppData%\rushmore\rushmore.exe

Step 2 : Remove the following Trojan.Win32.BHO registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\rushmore
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
rushmore = "%AppData%\rushmore\rushmore.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\rushmore]
version = "20101018"
today = "101022"

Step3: Locate and delete the following Trojan.Win32.BHO files

c:\DelUS.bat
%AppData%\InfoBoan_business_s.exe
%AppData%\rushmore\rushmore.exe

c. How to Remove these trojans Instantly?

Manual removal is a difficult process and it is not recommend unless you are an expert in this field. Therefore, you best defense is to download and install a reliable anti-spyware program to scan spyware on your machine. In order to detect computer threats in the easiest and fastest way possible, we advised trying the Malwarebytes' Anti-Malware, it is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start. visit http://www.ids-sax2.com/Malwarebytes-Anti-Malware.htm and download Malwarebytes' Anti-Malware to help you.

4. Appendix

For more information, please visit http://www.ids-sax2.com/ComputerSecurityNewsletter.htm