Follow:

 

Win32/Rotbrow


Microsoft security software detects and removes this threat.

This family of trojans install browser addons that claim to protect you from other addons. These addons can make changes to your home page and also install Win32/Sefnit.

These trojans are commonly installed by Win32/Brantall.

Find out ways that malware can get on your PC



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Rotbrow might be installed on your PC by other software. For example, we have seen Rotbrow installed alongside the clean program Babylon Toolbar by a variant of Win32/Brantall.

Win32/Rotbrow installs itself in a folder under <commonappdata>, for example:

The family consists of multiple components, whose file names vary from one version to another. We have seen variants use the following file names for the main component:

  • BitGuard.exe
  • BrowserProtect.exe
  • BitGuard.dll
  • BrowserProtect.dll
  • bProtect.exe
  • Protector.dll
  • BrowseMngr.dll
  • BrowserDefender.dll

It might install itself as a Firefox extension with one of the following names:

  • "bProtector", bprotector.xpi
  • "Browser Manager", Babylonmngr.xpi

In Chrome, it might use these names:

  • "BrowserProtect", BrowserProtect.crx
  • “BrowserProtect”, mngr.crx
  • “Settings Protector”, browsemngr.crx
  • “Settings Protector”, spext.crx

In Internet Explorer, it might use this name:

  • "ProtectorBHO Class", kerberos_bho.dll

You might see it in the Manage Add-ons window in Internet Explorer:

It installs itself as a service so that it runs each time you start your PC.

It might use the service name bProtector with the description "Your browser protector service".

It might also create a scheduled task that runs once every minute to start this service if it has stopped.

Payload

Installs other files, including malware

Many instances of the main Win32/Rotbrow executable contain another executable in an encrypted resource, which they decrypt to the %TEMP% folder, for example %TEMP%\setup_fsu_cid.exe.

The trojan then runs setup_fsu_cid.exe, which is an installer for a program called FileScout.

In many cases, this installer also contains Win32/Sefnit, which it installs silently alongside FileScout.

Additional information

Win32/Rotbrow hooks a number of APIs to:

  • Prevent itself from being stopped or removed
  • Prevent the "MindSpark Toolbar Platform IE Search Box Protector" from hooking functions in the current process
  • Prevent OLE objects matching to a product named "SweetPacks" from being loaded
  • Monitor registry and file system changes to prevent certain registry keys and files from being modified
  • Trigger the JavaScript engine hooking behavior described below

Hooks JavaScript library loading events

It hooks library loading events to trigger the JavaScript-hooking engine by hooking the following exports of mozjs.dll:

  • "?Compile@JS@@YAPAUJSScript@@PAUJSContext@@V?$Handle@PAUJSObject@@"
  • "?JS_DecodeScript@@YAPAUJSScript@@PAUJSContext@@PBXIPAUJSPrincipal"

It does several JavaScript replacements that specifically disable the following programs:

  • Funmoods
  • AVG Safeguard Toolbar

Your browser startup homepage is modified to refer to a different variable by replacing browser.startup.homepage with browser.startup.homepage.CT.

JavaScript replacements also take over the new tab page in Firefox.

Blacklists URLs

The trojan also supports the blacklisting and whitelisting of URLs and domains based on a remote configuration.

Analysis by Hamish O'Dea


Symptoms

Alerts from your security software may be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Oct 25, 2013
This entry was updated on: Aug 22, 2014

This threat is also detected as:
No known aliases