Installation
This threat copies itself to
%APPDATA%\chromeupdate.exe.
It creates the following registry entry so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "ChromeUpdate"
With data:"%APPDATA%\chromeupdate.exe"
It checks whether it is running on a system with a 64-bit processor. If so, it will drop an additional file to the %TEMP% folder with a randomly generated file name (for example, 4C77.tmp). It will then run the file, which can be detected as TrojanClicker:Win64.Fleercivet.A.
It injects additional code in iexplore.exe (Internet Explorer).
On other systems, it will inject code in explorer.exe and in one of the following processes, depending on the version of Windows that is running:
- explorer.exe
- svchost.exe
- dwm.exe
- taskhostex.exe
It also starts a hidden iexplore.exe process, where it injects more code.
It can also write encrypted data to the files in:
Payload
Clicks on advertisements
The malware starts an invisible Internet Explorer process and contacts a server which responds with a list of URLs to visit.
Examples of servers include the following:
It then sends clicks to the listed URLs to generate advertising revenue. It might attempt to mute the sound for the browser process so that any audio content of the visited sites are not heard.
Changes browser settings
This threat tries to change various settings, including your start page, for various web browsers, including Firefox and Opera.
| Browser |
Overwrites |
With the following |
| Mozilla |
localstore.rdf |
<?xml version="1.0"?><RDF:RDF xmlns:NC="http://home.netscape.com/NC-rdf#" xmlns:RDF="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><RDF:Description RDF:about="chrome://browser/content/browser.xul#toolbar-menubar" autohide="false" /><RDF:Description RDF:about="chrome://browser/content/browser.xul"><NC:persist RDF:resource="chrome://browser/content/browser.xul#main-window"/><NC:persist RDF:resource="chrome://browser/content/browser.xul#sidebar-box"/><NC:persist RDF:resource="chrome://browser/content/browser.xul#sidebar-title"/><NC:persist RDF:resource="chrome://browser/content/browser.xul#toolbar-menubar"/></RDF:Description></RDF:RDF> |
| |
pref.js |
# Mozilla User Preferences
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("extensions.shownSelectionUI", false);
user_pref("extensions.update.notifyUser", false);
user_pref("extensions.update.autoUpdate", false);
user_pref("browser.rights.3.shown", true);
user_pref("toolkit.telemetry.prompted", 2);
user_pref("toolkit.telemetry.rejected", true);
user_pref("gfx.direct2d.disabled", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("browser.startup.homepage", "<homepage specified by the malware>");
|
| Opera |
operaprefs.ini |
First Run Timestamp=1300000000
{State} (really square brackets)
Total Uptime=100
Run=0
{User Prefs} (really square brackets)
Enable Hardware Acceleration=0
Enable Usage Statistics=0
Show Startup Dialog=0
Startup Type=2
Ignore Unrequested Popups=1
Show Default Browser Dialog=0
Preferences Version=6
Home URL=<homepage specified by the malware> |
Stops processes
The malware periodically tries to stop the following processes:
- ctfmon.exe
- msdt.exe (Microsoft Support Diagnostic Tool)
Contacts remote hosts
The malware collects data about the affected system, encrypts it, then sends it to a remote server, such as 95.211.73.249. The data collected can include:
-
Country where the infected system is located (It obtains this information by contacting a web server at telize.com)
-
PC Name
-
IP Address
-
Operating System version
-
Operating System install date
-
Current system time
-
Processor type (64 or 32-bit)
The malware typically does this to:
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
It requests data from a number of remote servers, which can include the following:
-
176.102.38.69
-
176.102.38.72
-
95.211.73.249
It saves the data it receives to <commonappdata>\@system.att, and copy this file to <commonappdata>\@system2.att.
Downloads and runs files
The malware might periodically try to download a file from a location such as 176.102.38.72. It saves the file to the %TEMP% folder with a random file name (for example, 53C2.tmp), and then runs the file.
It also requests data from remote servers. Sample locations include:
-
176.102.38.69
-
176.102.38.72
-
fdsifidsfjannqnnqww.com
