Boaxxe.dr

When the executable is run on the victim machine, it Drops Following file :

• %system%\%s.dll (This dll is registered,it's a BHO and detected as Boaxxe.dll (87kb))

(where %system% = C:\Windows\System for Windows 95/98/Me
  or, C:\Winnt\System32 for Windows NT/2000
  or, C:\Windows\System32 for Windows XP)

%s.dll indicates that this dll name varies for every execution. It can take any of following names:
ad.dll
cnvfa.dll
cmprop.dll etc.,

Registry Keys added:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E67FDE50-1867-4ACF-B42D-632D5C65892E}
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E67FDE50-1867-4ACF-B42D-632D5C65892E}

Trojan adds inprocserver32 for that dropped dll and sets as single thread apartment.

• HKEY_CLASSES_ROOT\CLSID\{E67FDE50-1867-4ACF-B42D-632D5C65892E}\InprocServer32 "(Default)" = C:\WINDOWS\system32\cnvfa.dll

It modifies following registry key:

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings

• Presence of above mentioned files.
• Presence of registry entries mentioned above.

Unlike viruses, trojans do not self-replicate. They spread manually, often under the promises of that executable being beneficial. This also spreads through distribution channels like IRC, peer-to-peer networks, newsgroup postings, e-mail, etc.

A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.