Trojan:Win32/Miuref.B can be installed by Trojan:Win32/Miuref.A and Trojan:Win32/Miuref.gen!A.
The malware file is installed to %LOCALAPPDATA%\<random folder>\<random name>.dll, for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll.
It modifies the following registry entry so that it runs each time you log on to your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random name>, for example, Arltworks
With data: "regsvr32.exe <install path>", for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll
Trojan:Win32/Miuref.B tries to decrypt and load its payload from a file with the same file name as itself but with one of following extensions.
For example, MozSvcs64.idx.
Downloads malware and displays ads
Trojan:Win32/Miuref.B starts one or more hidden Internet Explorer processes and injects itself to perform hidden clicks. These click can lead to online advertisements. We have also seen them used to download other malware, such as Trojan:Win32/Tobfy.S.
Hijacks search engine results
The trojan can hijack and replace the search engine results when you use Internet Explorer.
To get the redirection URLs, the malware contacts a remote server with the search query and retrieves the redirection target.
Connects to a remote server
Trojan:Win32/Miuref.B connects to a remote server to report the following information:
- Machine GUID
- System volume serial number
- Computer name
- Retrieve redirection URLs
We have seen it connect to the following server:
Analysis by Shawn Wang