Technical Details

This Trojan installs other programs to the victim machine without the knowledge or consent of the user. It is a Windows application (PE EXE file). It is 33 400 bytes in size. It is packed using UPX. The unpacked file is approximately 73 KB in size. It is written in Delphi.


Once launched, the Trojan performs the following actions:

  • It deletes the following file:
    %Program Files%\Internet Explorer\JavaNe64.Bet

  • It copies its body to a file:
    %Program Files%\Internet Explorer\JavaNe64.Bet

    The first 2 bytes of the file are replaced with
    4B 4F

  • It extracts a file from its body and saves it under the following name:
    %Program Files%\Internet Explorer\BoboChen.jsp
    (50 296 bytes; detected by Kaspersky Anti-Virus as "Worm.Win32.AutoRun.aazu") The file is created with the "hidden" and "system" attributes.

    The extracted library contains functionality that enables the malicious user to hijack accounts of the Chinese Tencent QQ instant messaging service.

  • It launches its original file with the "Z" parameter. In addition to the above-mentioned actions, it creates in the system a window called "Jsxtxut" (window class: "Button"). Messages sent to the created window are processed using the "MgHookOp" and "MgHookCs" functions from the previously extracted library.

Removal Instructions

If your computer does not have antivirus protection and has been infected by this malicious program, follow the instructions below to delete it:

  1. Use Task Manager to terminate the Trojan process.
  2. Delete the original Trojan file (its location will depend on how the program originally penetrated the infected computer).
  3. Delete the following files:
    %Program Files%\Internet Explorer\JavaNe64.Bet
    %Program Files%\Internet Explorer\BoboChen.jsp 

  4. Perform a full scan of the computer using Kaspersky Anti-Virus with up-to-date antivirus databases (download a trial version).

MD5: 4DA4FC0A5FB8A56792FC45376EB63499
SHA1: F25E622929AE4C77C234CFF0C15E81C09C4880A2