Browsers are often used as platforms by spyware and adware in order to execute. By installing themselves as browser helper objects, spyware and adware give themselves a chance to execute whenever the user fires up the browser to do some web surfing.

But this technique is no longer exclusive to such malicious programs. A rootkit can also register itself as a BHO in the case of TROJ_LINKOPTIM.G. Based on initial analysis, this Trojan is the rootkit component of TROJ_RKDICE.H. TROJ_LINKOPTIM.G connects to several URLs containing scripts that may compromise security on the affected system. As a security measure, these URLs are blocked from access. The Trojan also uses a dose of social engineering when it present itself as a Network Monitor API of Microsoft which is clearly a bogus claim.

A solution for this threat has already been deployed in CPR 3.748.06.