Virus:Trojan.Win32.BHO.bd

Detection added	Jun 03 2007 12:57 GMT
Description added	Jun 19 2007
Behavior	Trojan

Technical details
Payload
Removal instructions

Technical details

This Trojan component penetrates the Internet browser on the victim machine. It is designed to display advertising. It is a Windows DLL file. The file is 50,740 bytes in size. It is packed using UPX. The unpacked file is approximately 104KB in size. It is written in Visual C++.

Installation

When launched, the Trojan creates the following entries in the system registry:

[HKCR\Software\Classes\CLSID\{generated_number }]
[HKCR\Software\Classes\CLSID\{generated_number }\InProcServer32]
"(default)" = "<name of library>.dll"

A Browser Helper Object is added to Internet Explorer:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{generated_id}]

The Trojan also creates a registry key with its data:

[HKLM\Software\Microsoft\Juan]

Payload

This Trojan is a Browser Helper Object component which penetrates the Internet browser in order to display advertising. The Trojan tracks user activity. It intercepts the addresses of open pages, and redirects them to a specific search portal.

Removal instructions

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following key from the system registry:
[HKLM\Software\Microsoft\Juan]
Update your antivirus databases and perform a full scan of the computer ( download a trial version of Kaspersky Anti-Virus).

HOME