Follow:

 

Win32/Foidan


Microsoft security software detects and removes this threat.

The Win32/Foidan family can monitor and change how your Internet browser behaves.

Trojans in this family can get onto your PC when you download a file from the Internet. They can also be downloaded by other malware.



What to do now

The following Microsoft security software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Threat behavior

Installation

Depending on the variant, Win32/Foidan copies itself as one of the following:

It modifies one of the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "IExplorer Util" 
With data: "%APPDATA%\ie_util.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "FNModuleUpdater"
With data: "%APPDATA%\fnmod_32.exe"

It creates the following mutexes:

  • FOCTRLM
  • FOIDCTRL<Process ID>
  • SYS_<Random>

This could be an infection marker to prevent more than one copy of the threat running on your PC.

Payload

Injects code

This malware tries to inject its code into the following processes so they can monitor and hook the HttpQueryInfoA and InternetReadFile APIs:

  • ctfmon.exe
  • dwm.exe
  • explorer.exe
  • iexplore.exe
  • rdpclip.exe
  • taskeng.exe
  • taskhost.exe
  • wscntfy.exe

Monitors and changes Internet traffic

Trojans in this family try to hook the following Windows APIs:

  • HttpQueryInfoA
  • InternetReadFile

Using these APIs the malware then monitors and changes HTTP header settings and data that is sent or received from your PC.

Analysis by Jonathan San Jose
 


Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "IExplorer Util" 
    With data: "%APPDATA%\ie_util.exe"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "FNModuleUpdater"
    With data: "%APPDATA%\fnmod_32.exe"

 


Prevention


Alert level: Severe
This entry was first published on: Oct 01, 2013
This entry was updated on: Nov 14, 2013

This threat is also detected as:
  • W32/Troj_Generic.KAIMH (Norman)
  • TR/Hijacker.Gen (Avira)
  • Worm.P2P.Palevo.PA (BitDefender)
  • Trojan.Inject1.20296 (Dr.Web)
  • Win32/Agent.UJJ (ESET)
  • Trojan-PWS.Win32.Zbot (Ikarus)
  • RDN/Generic.dx!zn (McAfee)
  • Trojan-Ransom.Win32.Foreign.hlwo (Kaspersky)
  • Luhe.Fiha.A (AVG)
  • W32/Foreign.HLWO!tr (other)
  • TROJ_BUBLIK.UHZ (Trend Micro)