BREX_SENSAVE.WF
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Adware
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.
It does not have any propagation routine.
It does not have any backdoor routine.
TECHNICAL DETAILS
Arrival Details
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be dropped by other malware.
Installation
This adware drops the following files:
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\extensions\{2d7886a0-85bb-4bf2-b684-ba92b4b21d23}.xpi
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\healthreport.sqlite
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\addons.json
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
It creates the following folders:
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\extensions
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\healthreport
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\bookmarks-{year-month-day of installation}_5.json
(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Propagation
This adware does not have any propagation routine.
Backdoor Routine
This adware does not have any backdoor routine.
NOTES:
This is a browser extension for Mozilla, which is used to load the following URL:
- http://ff.{BLOCKED}s.com/version.js?appTitle=SaveSense&cb={current month integer}_{current day integer}
It also affects disk cache for Mozilla when it loads the URL.
It does not have rootkit capabilities.
It does not exploit any vulnerability.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Search and delete these folders
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\extensions
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\healthreport
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\bookmarks-{year-month-day of installation}_5.json
Step 3
Search and delete these files
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\addons.json
- %Application Data%\Mozilla\Firefox\Profiles\{random value}.default\healthreport.sqlite
Step 4
Scan your computer with your Trend Micro product to delete files detected as BREX_SENSAVE.WF. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
NOTES:
Before proceeding to Step 2, please perform the following steps for Mozilla Firefox users only:
- Open Firefox.
- Go to Tools > Add-ons.
- Select bProtector and click Remove.
Check the disk cache for the temporary Internet file for Mozilla Firefox:
- Open Firefox.
- Type "about:cache"
- Click "List Cache Entries" on Disk cache device
- Look for http://ff.{BLOCKED}s.com/version.js
Did this description help? Tell us how we did.