Home / malwarePDF  

BrowserModifier:Win32/Diplugem


First posted on 10 March 2019.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Diplugem.

Explanation :

Installation

This threat can create the following files on your PC:

.exe, for example 8e57610c-745e-de5b-8e57-7610c7458431sound forge Audio studio 10.0 keygen.exe .dat, for example 8e57610c-745e-de5b-8e57-7610c7458431sound forge Audio studio 10.0 keygen.dat %ProgramData% .dat, for example %ProgramData%Avira Browser SafetyAvira Browser Safety.dat  %ProgramData% .dll, for example%ProgramData%CutThePricednwbF9wuEopox8.dll %ProgramData% .tlb, for example%ProgramData%CutThePricednwbF9wuEopox8.tlb %ProgramData% .exe, for example%ProgramData%CCuttThEPriceCCuttThEPrice.exe %ProgramData% .x64.dll, for example%ProgramData%dnwbF9wuEopox8.x64.dll

The is usually related to discounts, sales, and advertisement blocking. For example we have seen this threat using the following application names:

AllSaver CutThePrice PriceChop SaverExtension UniSales YouTubeAdBlocker

It can also use misspelled versions of the above names, for example AlllSSavEr or SaverExtEonsiioon. We have also seen random application names, or names that imitate normal applications, such as:

8y1ONHho1IokJE Attachment Icons for Gmail dnwbF9wuEopox8 Enforceware LiveWire WebTop Quick login tool

We have seen this threat create the following registry entries:

In subkey: HKCUSoftwareWebAppStyles
sets value: MaxScriptStatements
with data: dword:ffffffff

In subkey: HKCUSoftwareClassesInterface{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
sets value: (Default)
with data: "ITinyJSObject"

In subkey: HKCUSoftwareClassesInterface{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}ProxyStubClsid32
sets value: (Default)
with data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCUSoftwareClassesInterface{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}TypeLib
Sets value: (Default)
With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

In subkey: HKCUSoftwareClassesInterface{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}TypeLib
Sets value: Version
With data: "1.0"

In subkey: HKCUSoftwareClassesTypeLib{157B1AA6-3E5C-404A-9118-C1D91F537040}1.0
Sets value: (Default)
With data: "JSIELib"

In subkey: HKCUSoftwareClassesTypeLib{157B1AA6-3E5C-404A-9118-C1D91F537040}1.0win32
Sets value: (Default)
With data: "%TEMP% emp.exe", for example "%TEMP%E8aC3A04e199 empsound forge Audio studio 10.0 keygen.exe"

In subkey: HKCUSoftwareClassesTypeLib{157B1AA6-3E5C-404A-9118-C1D91F537040}1.0FLAGS
Sets value: (Default)
With data: "0"

It creates the following scheduled task to run a copy of the malware:

Alternatively, it can add the following startup link:

.lnk, for example sound forge Audio studio 10.0 keygen.lnk Behavior

Shows you online advertisements

This threat can inject additional advertisements into your web search results, for example:

In Bing:

In Google:

It can also show you extra advertisements as you browse the web, for example:

 

Installs a browser extension

This threat can install web browser extensions without asking for your consent. In Internet Explorer it also limits your ability to disable or remove the added browser extension. Below are examples of the extensions added by this threat:

Internet Explorer:

Google Chrome:

It creates uninstaller entries for the added browser extensions. It sets the installation date to one year in the past. An example is shown below:

Modifies Google Chrome component files

We have also seen variants of this BrowserModifier modify the Chrome component file chrome.dll to load the file GoogleUpdateHelper.dll. This file installs/updates Google Chrome extensions and is detected as BrowserModifier:Win32/Diplugem.

It then disables GoogleChrome update to make sure the modified component file won't be restored or updated.

Analysis by James Dee 

Last update 10 March 2019

 

TOP