Trackware.Baigoo

Trackware.Baigoo

Updated:
July 24, 2006
Risk Impact:
Low
Systems Affected:
Windows

Behavior

Trackware.Baigoo is a trackware program that tracks searches on Chinese search engines. Any information that a user enters into a search engine is sent to other remote users.

Antivirus Protection Dates

  • Initial Rapid Release version October 02, 2014 revision 022
  • Latest Rapid Release version March 08, 2018 revision 024
  • Initial Daily Certified version July 22, 2006 revision 002
  • Latest Daily Certified version February 07, 2018 revision 016
  • Initial Weekly Certified release date July 26, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Trackware.Baigoo is a trackware program that tracks searches on Chinese search engines. Any information that a user enters into a search engine is sent to other remote users.

When the program executes, it creates the following folders:
C:\Program Files\baigoo\plugin\bgoobar
C:\Program Files\baigoo\BaiGoo
C:\Program Files\baigoo\plugin
C:\Program Files\baigoo

The program then creates some of the following files:
C:\Program Files\baigoo\baigoo.exe
C:\Program Files\baigoo\baigoo1.ini
C:\Program Files\baigoo\baigoo2.ini
C:\Program Files\baigoo\baigoo3.ini
C:\Program Files\baigoo\BaigooBH.dll
C:\Program Files\baigoo\baigoohk.dll
C:\Program Files\baigoo\baigoosv.exe
C:\Program Files\baigoo\bgooball.dll
C:\Program Files\baigoo\bgoocfg.
C:\Program Files\baigoo\bgooex.dll
C:\Program Files\baigoo\bgoohk.dll
C:\Program Files\baigoo\bgook.dll
C:\Program Files\baigoo\bgoomain.exe
C:\Program Files\baigoo\BGooSrv.ini
C:\Program Files\baigoo\mtsrv.exe
C:\Program Files\baigoo\plugin\bgoobar\band.ini
C:\Program Files\baigoo\plugin\bgoobar\band1033.ini
C:\Program Files\baigoo\plugin\bgoobar\band2052.ini
C:\Program Files\baigoo\plugin\bgoobar\bgoobar.dll
C:\Program Files\baigoo\plugin\bgoobar\bres1033.dll
C:\Program Files\baigoo\plugin\bgoobar\bres2052.dll
C:\Program Files\baigoo\plugin\bgoobar\plugin.ini
C:\Program Files\baigoo\plugin\bgoocos\bgoocos.dll
C:\Program Files\baigoo\plugin\bgoocos\coscfg.ini
C:\Program Files\baigoo\plugin\bgoocos\plugin.ini
C:\Program Files\baigoo\plugin\bgoolink\bgoolink.dll
C:\Program Files\baigoo\plugin\bgoolink\linkcfg.ini
C:\Program Files\baigoo\plugin\bgoolink\plugin.ini
C:\Program Files\baigoo\uninst.exe

The program then creates some of the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BaigooSv.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{40EF7CCC-71FE-4615-A0CA-D373F8C2AC88}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F2FB0E8-3E37-4910-8DFA-F9010E4F3ABC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18439A22-67A7-4A82-ABB6-82977555AC9B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7905958A-18C2-4139-9957-AE6F2B754818}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{808EAF87-61B8-4EEA-8B85-27480D1BDBEE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8816EA7A-5944-4277-B98E-2C0A46FB36E9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0BFD5815-6072-41D8-BCA5-7768ED97A079}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0EA4B97F-2F07-4895-B397-A75D660E142F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{32CFA498-08BE-4BB7-B362-85EE3BED4617}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{427263C1-FE45-4EF7-8765-318395F7D795}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5CD25F44-7F74-432D-AA30-4031FE28C326}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{73D898CC-32AE-4C08-A4BA-2142FCCDB9CE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A20B50FB-D4B9-4637-83DB-72253A2E3D53}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4626F8A3-DED7-4A56-A73E-D624E6DF8803}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4A8976FE-144E-4742-8E49-D6CD3B140FD1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{690E010B-042A-4973-87A8-485DEB8BDF68}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{6B01A4AF-1AB1-47FE-BF1B-1D1583D2B2C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9DC44A38-B772-47F8-A406-054F842EC7C5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooEx.Update.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooPM.BHOHelper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooPM.BHOHelper.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooPM.BrowserObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BaiGooPM.BrowserObject.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Balloon.BalloonObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Balloon.BalloonObj.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooBHO.Status.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooSrv.HtmlPaser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BGooSrv.HtmlPaser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7BDAF75A-0D6F-4F50-AFE9-333D08DF4005}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6C893032-1E26-4409-BA26-ED6C6007DCA6}
HKEY_LOCAL_MACHINE\SOFTWARE\baigoo
HKEY_USERS\S-1-5-21-220523388-1844823847-682003330-500\Software\baigoo

The program also creates the following registry entry so that the risk executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"baigoo.exe" = "C:\PROGRA~1\baigoo\baigoo.exe"

The program gathers information from the compromised computer when a search engine is used. The program then connects to the following URLs and sends the information to a remote user:
www.baigoo.com
www.yok.com
`