Search
Keyword: browser hijacker
NOTES: It queries the default web browser by accessing the following registry entry: HKEY_CLASSES_ROOT\http\shell\open\command It then launches a hidden Web browser process (e.g., iexplore.exe ). The
files Get default Internet browser Navigate and open a URL in a hidden browser Log user keystrokes and mouse clicks Update self Update configuration file Update bulletin thread used Sleep for a specified
to get stored information such as user names, passwords, and hostnames from the following browsers: Chrome ChromePlus Chromium FastStone Browser Flock Internet Explorer K-Meleon Mozilla Firefox Opera
\Microsoft\ Windows\CurrentVersion\Explorer\ Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000} Other System Modifications This Trojan adds the following registry keys: HKEY_CLASSES_ROOT
ensure its automatic execution every time Internet Explorer is used by adding the following registry keys: HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Explorer\ Browser Helper Objects\
registry entries: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\SvcHost netsvcs = 6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility
backdoor adds the following registry keys to install itself as a Browser Helper Object (BHO): HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Explorer\ Browser Helper Objects\
backdoor does not have any downloading capability. Other Details This backdoor deletes itself after execution. NOTES: It queries the default web browser by accessing the following registry entry:
web browser by accessing the following registry entry: HKEY_CLASSES_ROOT\http\shell\open\command It then launches a hidden Web browser process (e.g. iexplore.exe) where this malware injects its code for
%:applesups.exe" Backdoor Routine This backdoor connects to the following websites to send and receive information: {BLOCKED}e-com.3322.org {BLOCKED}.dyndns-free.com NOTES: It queries the default web browser by
Applications\ Browser HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\ Browser\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\policies\ Explorer HKEY_LOCAL_MACHINE
following websites to send and receive information: http://{BLOCKED}dns.{BLOCKED}ns-blog.com 1j.{BLOCKED}w1.biz NOTES: It queries the default web browser by accessing the following registry entry:
\CurrentVersion\policies\ system EnableLUA = "0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Explorer\ Browser Helper Objects NoExplorer = "1" It deletes the following registry keys:
files Get default Internet browser Navigate and open a URL in a hidden browser Log user keystrokes and mouse clicks Update self Update configuration file Update bulletin thread used Sleep for a specified
(es): svchost.exe default browser Other System Modifications This spyware adds the following registry entries: HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Main\FeatureControl
load the malicious dll C:\Users\Public\Documents\yoshiDATA.dat - configuration file, also detected as BKDR_POISON.TUHB NOTES: It queries the default web browser by accessing the following registry entry:
sites are inaccessible. Other Details This backdoor requires the existence of the following files to properly run: {Malware Path}\mcods.exe It does the following: It queries the default web browser by
the following data: Channel ID Machine ID OS Information Installed Browsers Default Browser Username Password Nickname Services Processes User Credentials stored by browser Facebook Cookie Facebook
{browser}.exe where {browser} - filename of default browser in registry: HKEY_CLASSES_ROOT\HTTP\shell\open\command\ (Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on
are known to monitor user's Web browsing activities using the browser window titles or address bar URLs as triggers for its attack. They steal account information from online services like online