Home / malwarePDF  

BrowserModifier:Win32/Kerlofost


First posted on 10 July 2009.
Source: SecurityHome

Aliases :

BrowserModifier:Win32/Kerlofost is also known as Also Known As:not-a-virus:AdWare.Win32.Reklosoft (other), Mal/Inet-Fam (Sophos).

Explanation :

BrowserModifier:Win32/Kerlofost is the detection for a DLL file embedded in various programs and registered as a BHO (Browser Helper Object). It may modify browsing behavior, redirect searches, report user statistics, behavior, and searches back to a remote server, and display pop-up advertisements.

Symptoms
System ChangesThe following system changes may indicate the presence of BrowserModifier:Win32/Kerlofost

  • The presence of the following file:
    <system folder>3rs23562.dll
  • The presence of the following registry subkeys:
    HKCRCLSID{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5}
    HKCRCLSID{FFFFE708-B832-42F1-BAFF-247753B5E452}
    HKCRTypeLib{2552632F-867D-4052-B836-7F83A5302534}
    HKCRInterface{E743CF05-181C-4D72-B4EE-95435ED4B86B}
    HKCRInterface{F1287389-B2FE-4315-8484-540B2033646D}
    HKCRAppID
    s_adw.DLL
    HKCRAppID{D96FA298-1BB6-47FC-AD21-72781B744DC3}
    HKCR
    eklosoft_adw.Helper_Bar
    HKCR
    s_adw.Helper_bho
    HKLMMicrosoftInternet ExplorerExplorer Bars{FFFFE708-B832-42F1-BAFF-247753B5E452}
    HKLMMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5}


    • BrowserModifier:Win32/Kerlofost is the detection for a DLL file embedded in various programs and registered as a BHO (Browser Helper Object). It may modify browsing behavior, redirect searches, report user statistics, behavior, and searches back to a remote server, and display pop-up advertisements. BrowserModifier:Win32/Kerlofost is usually installed in the system as '<system folder>3rs23562.dll'. It may arrive as a DLL component of a program; one such program is "Shot it". Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. When installed, BrowserModifier:Win32/Kerlofost is registered as a BHO (Browser Helper Object) by the creation of the following subkeys: HKCRCLSID{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5}
    HKCRCLSID{FFFFE708-B832-42F1-BAFF-247753B5E452}
    HKCRTypeLib{2552632F-867D-4052-B836-7F83A5302534}
    HKCRInterface{E743CF05-181C-4D72-B4EE-95435ED4B86B}
    HKCRInterface{F1287389-B2FE-4315-8484-540B2033646D}
    HKCRAppID
    s_adw.DLL
    HKCRAppID{D96FA298-1BB6-47FC-AD21-72781B744DC3}
    HKCR
    eklosoft_adw.Helper_Bar
    HKCR
    s_adw.Helper_bho
    HKLMMicrosoftInternet ExplorerExplorer Bars{FFFFE708-B832-42F1-BAFF-247753B5E452}
    HKLMMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{71E59D37-D7FC-4ED6-BC1D-D13BE02FE6C5} BrowserModifier:Win32/Kerlofost may connect to the Web site 'reklosoft.ru' to report user statistics, behavior, and searches. It may also download updates of itself from this site. It may display pop-up advertisements, based on the user's keyword searches, from the subdomain 'adv.reklosoft.ru'.

    Analysis by Patrik Vicol

    Last update 10 July 2009

     

    TOP

    Malware :