Follow:

 

Trojan:Win32/Miuref.B


Microsoft security software detects and removes this threat.

This threat can redirect your web browser to show you ads or download other malware.  

It can be installed by Trojan:Win32/Miuref.A and Trojan:Win32/Miuref.gen!A.

See the Win32/Miuref family description for more information.



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Remove browser add-ons

You may need to remove add-ons from your browser:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Trojan:Win32/Miuref.B can be installed by Trojan:Win32/Miuref.A and Trojan:Win32/Miuref.gen!A.

The malware file is installed to %LOCALAPPDATA%\<random folder>\<random name>.dll, for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll.

It modifies the following registry entry so that it runs each time you log on to your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: <random name>, for example, Arltworks
With data: "regsvr32.exe <install path>", for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll

Trojan:Win32/Miuref.B tries to decrypt and load its payload from a file with the same file name as itself but with one of following extensions.

  • .idx
  • .lck
  • .dat
  • .txt

For example, MozSvcs64.idx.

Payload

Downloads malware and displays ads

Trojan:Win32/Miuref.B starts one or more hidden Internet Explorer processes and injects itself to perform hidden clicks. These click can lead to online advertisements. We have also seen them used to download other malware, such as Trojan:Win32/Tobfy.S.

Hijacks search engine results

The trojan can hijack and replace the search engine results when you use Internet Explorer.

To get the redirection URLs, the malware contacts a remote server with the search query and retrieves the redirection target.

Connects to a remote server 

Trojan:Win32/Miuref.B connects to a remote server to report the following information:

  • Machine GUID
  • System volume serial number
  • Computer name
  • Retrieve redirection URLs

We have seen it connect to the following server:

  • 50.7.248.170

 Analysis by Shawn Wang


Symptoms

The following could indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:
     
    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: <random name>, for example, Arltworks
    With data: "regsvr32.exe <install path>", for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll

Prevention


Alert level: Severe
First detected by definition: 1.165.2023.0
Latest detected by definition: 1.191.529.0 and higher
First detected on: Jan 16, 2014
This entry was first published on: Jan 30, 2014
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Trojan horse Pakes_c.AMES (AVG)
  • Gen:Variant.Kazy.317299 (BitDefender)
  • W32/Sefnit.CW!tr (Fortinet)