Home / malware BrowserModifier:Win32/Smudplu
First posted on 24 November 2015.
Source: MicrosoftAliases :
There are no other names known for BrowserModifier:Win32/Smudplu.
Explanation :
Threat behavior
Installation
This browser modifier can be installed on your PC when you download other software from third-party websites. It can install the following file on your PC:
- %CommonProgramFiles% \Goobzo\GBUpdatePlus\smci64.dll
The malware can also create the following registry entries:
In subkey: HKLM\SYSTEM\CurrentControlSet\services\SMUpdPlus
Sets value: "Search Module Plus Update"
With data: "%CommonProgramFiles%\Goobzo\GBUpdatePlus\smu.exe /service"
In subkey: HKLM\SYSTEM\CurrentControlSet\services\SMUpdd
Sets value: "Search Module Plus UpdateD"
With data: "%CommonProgramFiles%\Goobzo\GBUpdatePlus\smw.sys"
It creates the following scheduled task:
- SMW_UpdateTask_Time_323234393733303630372d3437415a556c2a3223346c41
Behavior
Changes your default search provider
This program injects a DLL into your web browser to change the default search provider without adequate consent.
We have seen it inject smci32.dll into 32-bit browser processes, and smci64.dll into 64-bit browser processes.
It can change the search provider in the following web browsers:
- Internet Explorer
- Google Chrome
Find out more about how and why we identify unwanted software.
Analysis by Hamish O'Dea
Symptoms
The following can indicate that you have this threat on your PC:
- Your default search provider has changed
- You have this file:
- %CommonProgramFiles% \Goobzo\GBUpdatePlus\smci64.dll
Last update 24 November 2015
