Sunday, July 22, 2007

Fake Google Toolbar Installer

Just came across a poorly detected trojan, which creates a folder named Google in Program Files folder, and copies a file named Googletoolbar1.dll to that folder. This DLL is registered as a BHO in Internet Explorer. This Googletoolbar1.dll is actually a fake file, and is detected as W32/Horst.gen25 by few AVs. Trojan dropper is named as roin.exe and is detected by some AVs as Trojan-Dropper.Win32.Small.ayo or W32/Horst.gen25.dropper.

Files dropped by roin.exe are:
CTFRMON.EXE
kd678.exe
temp77726.exe
googletoolbar1.dll
exsetup.mcd
bipsetup.mcd
iexplore_32.exe
spoolw.exe
igfxsvc.exe
imfe.exe


Following HijackThis log extract shows trojan's BHO and startup files:
O2 - BHO: Google Toolbar Helper - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\googletoolbar1.dll
O4 - HKLM\..\Run: [crtfmon] C:\WINDOWS\CTFRMON.EXE
O4 - HKCU\..\Run: [spoolw] C:\WINDOWS\system32\spoolw.exe
O4 - HKCU\..\Run: [igfxsvc] C:\WINDOWS\system32\igfxsvc.exe
O4 - Startup: imfe.exe


More information about this trojan can be found here.

1 Comments:

Anonymous BilloKenobi said...

i'va analyzed that trojan. see here for more infos

http://www.suspectfile.com/forum/viewtopic.php?t=1542

4:11 PM  

Post a Comment

<< Home