Win32/Miuref can be installed by other malware, such as Win32/Fareit. It can also get on your computer if you open a spam email that has an attachment with the name "invoice_<random characters>.pdf.exe". We detect these spam emails as Trojan:Win32/Miuref.A.
It downloads an additional component, detected as Trojan:Win32/Miuref.B. It installs this component to %LOCALAPPDATA%\<random folder>\ as a .dll file with a random name, for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll.
It also downloads another file that has the encrypted payload of the trojan. The file has the same name as the .dll file, but with one of the following extensions:
For example, MozSvcs64.idx.
It changes the registry so that the malware runs each time you log on to your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random name>, for example, Arltworks
With data: "regsvr32.exe <install path>", for example "regsvr32.exe %LOCALAPPDATA%\Arltworks\MozSvcs64.dll"
If you have Firefox or Chrome installed on your PC, Win32/Miuref also installs extensions with various names (such as "HomeGroup Task") for those browsers. We detect the extensions as Trojan:JS/Miuref.A and Trojan:JS/Miuref.B. It uses these extensions to perform its search-engine hijacking payload.
Downloads malware and displays ads
Win32/Miuref starts and injects itself into one or more hidden Internet Explorer processes to perform hidden clicks. These clicks can lead to online advertisements.
We have also seen the hidden clicks used to download other malware such as Trojan:Win32/Tobfy.S.
Hijacks search engine results
The trojan can hijack and replace search engine results when you use Internet Explorer, Firefox or Chrome.
For Internet Explorer, the trojan connects to a remote server to get the redirection URLs.
For Firefox and Chrome, the trojan uses the extensions it has installed to redirect the search to another website. We have seen the extensions redirect searches to esearchpage.com and esearchpage.org.
Connects to a remote server
Win32/Miuref connects to a remote server to report the following information:
- Machine GUID
- System volume serial number
- Computer name
The server varies, but we have seen it try to connect to 126.96.36.199.
Analysis by Shawn Wang