Virus:TR/BHO.D.4
Date discovered:21/09/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:65.536 Bytes
MD5 checksum:9b1006feb6938a6924af7f2c6fcbee1d
VDF version:6.36.00.45
IVDF version:6.36.00.56 - Monday, September 25, 2006

 General Aliases:
   •  Symantec: Trojan.Nethell
   •  Mcafee: Nethell
   •  Kaspersky: Trojan.Win32.BHO.d
   •  Sophos: Troj/Nethell-E
   •  VirusBuster: trojan Trojan.BHO.AJ
   •  Bitdefender: Trojan.Nethell.E


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP


Side effects:
   • Blocks access to certain websites
   • Drops a file
   • Registry modification
   • Steals information

 Files The following file is created:

– Non malicious file:
   • %SYSDIR%\acss.txt

 Registry The following registry keys are added:

– HKCR\NetHelper.Hook.1
   • "(Default)"="Hook Class"

– HKCR\NetHelper.Hook.1\CLSID
   • "(Default)"="{1593C741-C011-46FE-99FC-3805C28328BA}"

– HKCR\NetHelper.Hook
   • "(Default)"="Hook Class"

– HKCR\NetHelper.Hook\CLSID
   • "(Default)"="{1593C741-C011-46FE-99FC-3805C28328BA}"

– HKCR\NetHelper.Hook\CurVer
   • "(Default)"="NetHelper.Hook.1"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}
   • "(Default)"="Hook Class"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\InprocServer32
   • "(Default)"="%executed file%"
   • "ThreadingModel"="Apartment"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\ProgID
   • "(Default)"="NetHelper.Hook.1"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\TypeLib
   • "(Default)"="{0324D9F1-2199-4424-98C7-A0E8CC45743B}"

– HKCR\CLSID\{1593C741-C011-46FE-99FC-3805C28328BA}\
   VersionIndependentProgID
   • "(Default)"="NetHelper.Hook"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0
   • "(Default)"="NetHelper 1.0 Type Library"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\0\win32
   • "(Default)"="%executed file%"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\FLAGS
   • "(Default)"="0"

– HKCR\TypeLib\{0324D9F1-2199-4424-98C7-A0E8CC45743B}\1.0\HELPDIR
   • "(Default)"="%current directory%"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}
   • "(Default)"="IHook"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\
   ProxyStubClsid
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\
   ProxyStubClsid32
   • "(Default)"="{00020424-0000-0000-C000-000000000046}"

– HKCR\Interface\{54DCBD5A-3FDC-490F-B9AE-5B9DBAA39BEC}\TypeLib
   • "(Default)"="{0324D9F1-2199-4424-98C7-A0E8CC45743B}"
   • "Version"="1.0"

– HKCU\Software\Nethelper
   • "LastTime"=%hex values%

 Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

– It captures:
    • Internet traffic

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Bogdan Iliuta on Wednesday, September 27, 2006
Description updated by Andrei Ivanes on Friday, October 20, 2006

Back . . . .