Trojan.bho threat, your pc may have one and you don't know it

[EL34]

There's a bunch of nasty trojans going around and many virus softwares do not detect them.

I found one called trojan.bho on one of my network pc's and this pc does not evan have email installed.
It is an internet explorer exploit and so it was probably picked up on a web site somewhere.

It can log keys and do many other things and there are many versions of it.

You can read about it here.
http://news.softpedia.com/news/Internet-Explorer-BHO-Trojan-32403.shtml

I downloaded Malwarebytes anti malware program and it found it within a couple minutes.
This program seems to be the malware program many people swear by and there's a free version that worked just fine.
I liked the program so much I installed it on all my PC's.

http://www.malwarebytes.org/

I would seriously consider doing a scan of your pc now.

[DummyLoad]

cleaver @$$ hats... that trojan uses ICMP packets to transmit the key-logger data. the captured data is placed in the data field of packet.

slips right by most firewalls, since it's encapsulated in outgoing ICMP echo-requests.  >:(

[EL34]

Yes, exactly.

People who rely on Norton or other antivirus software to keep them safe need to do a scan with malwarebyte.
Depending on Virus software can lead to a false sense of security in this case.

My Antispyware software does a scan every day and never reported it.

Be interested to see how many people report a trojan that think they are clean.

[rob440]

I have had 2 different trojans try to instaall on my computer in the last week. I have AVG and it caught them. Actually I caught one of them because it said it was a microsoft windows update for virus protection. It looked very convincing but made me suspicious because I couldnt shut the window. Good thing I didnt fall for that! I hope the more computer educated out there may have some insight on avoiding this kind of crap.

[EL34]

You don't have to click on anything to get some of the trojans.
Just by that window being open you could have something.

seriously.

I really would download malwarebyes and do a scan.
It's a very small and fast program that does not each up computer resources.

I noticed there were several critical update patches this week from Microsoft.
Obviously they are scrambling to patch Internet explorer.

I am now running daily scans with malwarebytes to stay on top of the situation.

[Dynaflow]

 I'm using a laptop these days my Wife got, my ancient machine is sick. I downloaded it and got 31 viruses found (this laptop is new to us, but been used quite a long time so its doubtful anyone ran spyware on it). One of the viruses said adware.bho thats not the same one your talking about though is it? At any rate, thanks for the link and software, least this machines cleaned up for now. (the rest of them were stuff like bottlecap junk).

Regards,

Dyna

[EL34]

no, all the .bho's are variants of the original.

You can type the exact name you found in the malwarebytes scans in google to read what each one does.

Mine was just trojan.bho, but there's a bunch of them with extentions after the .bho

like trojan.bho.at or trojan.bho.rs or whatever.

[PRR]

Over a week ago, a series of flaws was found in MS IE (essentially all versions). The discoverers thought they understood the flaw, and how to block it, but it is really multiple issues.

Deal is: you simply go to a "bad" (infected) web page, and it loads anything it wants on your machine.

But at the same time, hackers had a way to inject such code into many "good" web pages. At the peak, thousands of "good" websites had an infection, and were infecting many innocent surfers.

http://www.pcworld.com/printable/article/id,155190/printable.html

http://www.msisac.org/advisories/2008/2008-044b.cfm
"...unspecified buffer overflow ... an HTML element with a 'src' attribute in the 'TransferFromSrc()' function can be used to corrupt memory. Exploitation can occur if a user visits a maliciously crafted webpage or html file. This vulnerability would allow the attacker to take control..."

We have not had a situation this dangerous in a long time. I was chewing nails, because I could not even tell my users what NOT to do. (While this one was MS IE specific, that was not clear at first.)

Within an hour of MS releasing the patch, I'd tested it on my PC and run over to the main offices to get it installed on everybody's PC.

Well, I missed Mark, and today he called and said the browser kept closing, and Trend was finding infected files. Yup, he caught an infection, though like many such rush-jobs the virus was buggy. In particular, it upset Windows Update, so I could not quickly install this week's patch. Running patches manually, Windows Malicious Software Tool -found- something and removed it. Then the urgent patch would "take", and then I ran all updates and scanned the system.

This incident, the virus/trojan was stealing passwords and, as ISO says, smuggling them out. I was not too worried; Mark doesn't know any good passwords, and my school's firewall blocks ICMP to/from strangers.

This was related to a root-kit from 2 years back. That one could do anything it wanted, including hide itself from the user. It would phone home, it would check IRC channels, it could be ordered to download more software to do... whatever.

[EL34]

Yes, am I am sure that Trend was only finding the evil bits that it knew about after the trojan had it's way?
The original trojan went undetected?

In my case, a pop up window on the web was the cuplrit.
The pop up was a redirection from a google web page search.
I closed the window with the X, I did not hit ok or check any boxes, etc on the window.
All that had to happen was the pop up opened on my browser.

I am hoping the guys here take this seriously and have a scan with malwarebytes.

Think how bad it would be if the keyloggers got ahold of your on line banking log in, a web site log in, or any sensitive info.

[Megachunk]

I've been seeing this ish with a number of PC's I take care of. Lotsa bored MF'ers out ther that want to F stuff up. Some of the PC's are so infected that the only course to save the PC from a reformat was for me to turn off system restore, clean the PC completely in safe mode (spyware, virus scan, clean out cookies), then booting back into normal mode, and turning back on system restore. Apparently the little bastard likes to hide in your restore files so it'd never really go away until you do this procedure.

Malwarebytes is great. I always look on the net to check these places, though. Some will infect your PC then tell you you need thier SW to clean it. F*ckers!

[Justa]

I am by no means an expert on PC infections.  But I have been doing a lot of research on the subject in the last few months.  Malwarebytes is by far the most frequently suggested program to detect and remove these type of infections by people really in the know.  SuperAntiSpyware seems to come up very often as a recommended tool also.  I run both as demand scans often in normal mode and sometimes safe mode.  Both products find things that the other hadn't.  Running them in normal mode lets the scanner catch things that get loaded in normal mode and safe mode can pick up things in files that are locked down in normal mode. 

I also have SpywareBlaster which maintains a current list of restricted sites and prevents them from loading.  It works for both Firefox and IE.  I only use IE for Windows updates now as it's market share continues to make it a juicy target.

I know a fair amount about safe surfing habits and employ them as much as possible.  I am using my machine like crazy lately and have only so much time with being ridiculously safe so I take known risks with safe places to save time.  I am still getting hit and am not sure where it is coming from.  I recently have noticed more links that will not load that I thought were caused by remote servers being down or busy.  I am now thinking that they may be redirects to nasty places that SpywareBlaster is stopping.

It is very frustrating.  Those jerks that write that crap are causing billions in damage.  The very few people that actually pay for their fake crap is just a tiny drop in the bucket of what they are costing.  But it is plenty enough to keep them going and motivated.  The information of how to do their work is all over the net and helps them big time.

I have found http://www.bleepingcomputer.com/ to be the best resource on issues like this so far.  They have a tremendous amount of good information on the subject.

[EL34]

Thanks for the link, I'll give that site a read.

[EL34]

By the way, just in case anyone was wondering.

The trojan I found was not on the computer I do business on.

Other info:
I do not keypunch anything by hand and so even if there was a keylogger, there is nothing to log.
All my data comes from my shopping cart on a secure internet connection and imports directly into Quickboks.
I don't do any keypunching of any customer data.
My Quickbooks company data file in encrypted, there is no way to steal it and read it.

Just wanted to clear that up in case someone was wondering.
Just thought about that last night.  :)

[Greasehorse]

SuperAntiSpyware has a free home user version that works well also. It found a bunch of crap on my computers here.
http://www.superantispyware.com