Win32/Rotbrow might be installed on your PC by other software. For example, we have seen Rotbrow installed alongside the clean program Babylon Toolbar by a variant of Win32/Brantall.
Win32/Rotbrow installs itself in a folder under <commonappdata>, for example:
The family consists of multiple components, whose file names vary from one version to another. We have seen variants use the following file names for the main component:
It might install itself as a Firefox extension with one of the following names:
"Browser Manager", Babylonmngr.xpi
In Chrome, it might use these names:
“Settings Protector”, browsemngr.crx
“Settings Protector”, spext.crx
In Internet Explorer, it might use this name:
"ProtectorBHO Class", kerberos_bho.dll
You might see it in the Manage Add-ons window in Internet Explorer:
It installs itself as a service so that it runs each time you start your PC.
It might use the service name bProtector with the description "Your browser protector service".
It might also create a scheduled task that runs once every minute to start this service if it has stopped.
Installs other files, including malware
Many instances of the main Win32/Rotbrow executable contain another executable in an encrypted resource, which they decrypt to the %TEMP% folder, for example %TEMP%\setup_fsu_cid.exe.
The trojan then runs setup_fsu_cid.exe, which is an installer for a program called FileScout.
In many cases, this installer also contains Win32/Sefnit, which it installs silently alongside FileScout.
Win32/Rotbrow hooks a number of APIs to:
- Prevent itself from being stopped or removed
- Prevent the "MindSpark Toolbar Platform IE Search Box Protector" from hooking functions in the current process
- Prevent OLE objects matching to a product named "SweetPacks" from being loaded
- Monitor registry and file system changes to prevent certain registry keys and files from being modified
AVG Safeguard Toolbar
Your browser startup homepage is modified to refer to a different variable by replacing browser.startup.homepage with browser.startup.homepage.CT.
The trojan also supports the blacklisting and whitelisting of URLs and domains based on a remote configuration.
Analysis by Hamish O'Dea