Follow:

 

Trojan:Win32/Miuref


Microsoft security software detects and removes this threat.

This threat can use your PC for click fraud. It can also redirect your Internet searches to a different website than expected.

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Remove browser add-ons

You may need to remove add-ons from your browser:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

This threat can be downloaded directly from the Internet by imitating a legitimate software download. We have seen it use the following file names:

  • BkgHC.exe
  • far-cry-3-reggae.exe
  • GDuoh.exe
  • i0fqW.exe
  • install_flashplayer12x32_mssa_aaa_aih.exe
  • lemmings-vollversion-deutsch.exe
  • ppc2.exe
  • QJSg9.exe
  • sgk-toan-lop-9.exe
  • VOMdc.exe

It can also be installed by other malware, including the Fiesta exploit kit.

The malware installs itself to %LOCALAPPDATA%\<random folder>\<random file name>.exe. For example, we have seen it installed to the following locations:

It then installs its two main payloads, a click fraud and a click hijack component.

Click fraud component

This component is installed as two dynamic-link library (.dll)  files to the following %LOCALAPPDATA%\<random path>\<random name>.dll. For example, we have seen it installed to the following locations:

It also downloads another file that contains the encrypted click fraud payload. This file has the same random name as the .dll file, but with one of the following extensions:

  • .dat
  • .idx
  • .txt

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Owkqics"
With data: %LOCALAPPDATA%\Owkqics\<MalwareFile>.exe

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ovsdics"
With data: regsvr32.exe %LOCALAPPDATA%\Ovsdics\<random name>.dll

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Atntworks"
With data: regsvr32.exe %LOCALAPPDATA%\Owkqics\<random name>.dll

Click hijacking component

This component is installed as a browser plugin for the Chrome and Firefox web browsers. It creates the following files:

  • Mozilla Firefox extensions:
    • %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\chrome.manifest
    • %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\components\MHTMLAsynchronousPluggable.js
    • %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\install.rdf
       
  • Google Chrome extensions:
    • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\background.js
    • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\content.js
    • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\manifest.json
Payload

Uses your PC for click fraud

This threat can use your PC for click fraud. It loads two malicious dynamic-link library (.dll) files by calling %LOCALAPPDATA%\<random path>\<random name>.dll.

It connects to a remote command and control server (C&C) to receive click fraud commands. We have seen it connect to:

  • 85.25.116.<removed>

After receiving a click fraud commands from the C&C, the malware silently creates many Internet Explorer processes and injects malicious code into them to perform hidden click fraud.

These hidden processes can be seen in the Task Manager, as shown below:

Redirects your web browser for click hijacking

This threat can hijack your search engine results. When you search the Internet using the Chrome or Mozilla web browser the malicious plugin submits the search term to its C&C server and waits for a reply. The reply contains the redirection chain.

The threat targets specific search term key words, such as the following:

  • Books
  • Headphone
  • Insurance
  • Laptop
  • Loans
  • Pills
  • poker
  • Shoes
  • work at home

We have seen searches with these key words redirect to these legitimate websites:

  • amazon.com 
  • 7search.com

These websites can change at any time.

Analysis by Duc Nguyen


Symptoms

The following can indicate that you have this threat on your PC:
  • You see these entries or keys in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Owkqics"
    With data: %LOCALAPPDATA%\Owkqics\<MalwareFile>.exe

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Ovsdics"
    With data: regsvr32.exe %LOCALAPPDATA%\Ovsdics\<random name>.dll

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Atntworks"
    With data: regsvr32.exe %LOCALAPPDATA%\Owkqics\<random name>.dll

  • Your search results are redirected to a different website than expected

  • Your web searches take longer than usual

  • You see multiple instances of Internet Explorer running in Task Manager
     


Prevention


Alert level: Severe
First detected by definition: 1.165.98.0
Latest detected by definition: 1.199.453.0 and higher
First detected on: Dec 17, 2013
This entry was first published on: Dec 17, 2013
This entry was updated on: Dec 03, 2014

This threat is also detected as:
  • Trojan.Win32.Yakes.gwfg (Kaspersky)
  • swizzor/Heur.I (Norman)
  • Crypt3.AXWK (AVG)
  • TR/Boaxxe.A.336 (Avira)
  • Win32/Kryptik.CNQK trojan (ESET)
  • W32/Simda.ADWX!tr.bdr (Fortinet)
  • Packed-CH!2B51314C5F6D (McAfee)
  • Trojan.Boaxxe (Symantec)