Just what the heck is a BHO anyway??

phoenix22

From the UnderSheriff by Tony (the saint) Klein

"What is a Browser Helper Object?
A Browser Helper Object, or BHO, is just a small program that runs automatically every time you start your Internet browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web.

The natural question is, what do BHOs do? The technical answer is "anything", but generally, it will have something to do with "helping" you browse the Internet.
Of course, many BHOs are what is called "ad-ware" or "spyware": they do things like monitor the websites you visit and report this data back to their creators."

They can also routinely conflict with other running programs, cause a variety of page faults, run time errors, and the like, and generally impede browsing performance.

For those looking for an engrossing read, here's the authoritative MS article:

Browser Helper Objects: The Browser the Way You Want It

A great little tool for viewing and, if required, disabling, the BHOs that may be installed on your machine is BHODemon, which can be downloaded here

We're maintaing a comprehensive list of all known BHO's, which can be viewed here:

http://www.spywareinfo.com/bhos/

It is updated on a weekly basis, when required, usually on Saturdays.

Listed BHO's are tagged X for certified spyware/foistware, or other malware, L for legitimate items, O for 'open to debate' and ? for BHOs of unknown status.

For those interested, Merijn Bellekom, the developer of the brilliant "Startuplist" and "Hijack This!" has created BHOList. It downloads and displays the BHO Collection in a searchable & sortable list.

NOTE: The Notorious LOP foistware now creates random Browser plugin identifiers as well as file names.

They'll look something like this:

{1A35419C-7394-4989-B3C5-6189EB06BD66} - ssshwckfrngl.dll
or
{9633C13D-85BB-4271-83C1-F22BC2938585} - llbrquistglc.dll
or
{DCF6B0CF-5312-42B2-B783-971C107F8B91} - kstilypsm.dll

As the number of possible names and combinations could therefore literally run into the billions, I will no longer be adding LOP BHOs to the list.
Be watchful when running into unknown BHOs bearing these kinds of fancy names. If they're not on the list, and the file is located in the Application Data directory, it's almost certainly a LOP BHO

The same now goes for Adgoblin/InContext and WurldMedia Browser Plugins. Here are some examples of random WM identifiers and file names:

{8A79D959-1251-41CC-B29D-4CF8B675D41E}: toalundg.dll
{BFAE1995-4CAC-40D0-B029-42CEC449E838}: ecule.dll

and some semi-random ones:

{E0634852-5A3C-4E35-954C-17A0622F0BF8} - m030206pohs.dll
{6270DFC1-EDFB-4BC4-BE8C-842740BA290B}: MOAA030425S.DLL
{BFBAE8DA-9920-4166-A5A4-EBD03F59ABF5}: mo030414s.dll

According to research by Andrew Clover these are respectively completely and partly random filenames and class IDs; he got a new filename/ID every time he installed. However, the internal name of the object remains the same ('TChk.TChkBHO'), so it will fortunately remain detectable, although not by file name alone.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 748 pages served in previous 5 minutes. Page Rendered: 0.305 seconds.