Home / malwarePDF  

BrowserModifier:Win32/BrowserGuardian


First posted on 27 June 2014.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/BrowserGuardian.

Explanation :

Threat behavior

This program displays ads to you as your browse the internet. The program also changes some settings in Internet Explorer and Chrome that you can't change back yourself.

Installation

The program can be downloaded from www.browserguardian.com.



The program may also get installed as an update to one of the follow programs during a scheduled task update:

  • Atomic Savings
  • Deals Plugin
  • Discount Dragon
  • Savings Addon
  • Savings Hen
  • Solid Savings


The update might look like this:



The program creates the following folders and installs its various components there:

  • %ProgramFiles% \Bench - this is where the proxy is stored
  • %LOCALAPPDATA% \BenchUpdater - this is where the updater is stored


The main components are put in the following folders in %LOCALAPPDATA%:

  • Atomic Savings
  • Browser Guardian
  • Deals Plugin
  • Discount Dragon
  • Savings Addon
  • Savings Hen
  • Solid Savings


The Chrome extension is put in the following folders:

  • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\bhdflnkpmknladghofdlcpjjbmniegkn
  • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\epcaecmamppaanbcebonhemckaapciho
  • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\fickfgcleonkfojnjddoccbkaliaobcf
  • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\nikdaiaidiiiogaidkkekcmokcgcdeac
  • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ojbalidmphhoopheigckkcpldegcohhe
  • %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\pmicfehfblhebdfbhfgmmfcaikafckac


It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Sets value: "BService"
With data: "%ProgramFiles%\Bench\BService\bservice.exe"

Sets value: "Bench Communicator Watcher"
With data: "%ProgramFiles%\Bench\\Proxy\pwdg.exe"

Sets value: "Bench Settings Cleaner"
With data: "%ProgramFiles%\Bench\Proxy\cl.exe"

Sets value: "Wd"
With data: "%ProgramFiles%\Bench\Wd\wd.exe"

It also creates these registry entries, where it stores the location of the uninstaller for the program:

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\32910_Solid Savings
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\38959_Savings Hen
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\38900_Discount Dragon
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\38922_Deals Plugin
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\38997_Browser Guardian
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\21426_Savings Addon
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\38904_Atomic Savings
  • HKLM\SOFTWARE\Proxy\Installations\Solid Saving
  • HKLM\SOFTWARE\Solid Savings


It uses the following icons for its files:



Behavior


Displays ads

The app shows ads in your Internet browser. The ads appear in a few different ways.

Banner ads:



Hoverlink ads that appear to "pop up" when you mouse over a link:



Ads that appear along the side of the page:



Ads that appear as part of the page:





Changes Internet settings

The program installs a proxy that it uses for your Internet traffic. This allows it to retrieve ads related to what sites your are visiting.

It changes the registry to install the proxy:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Sets value: "AutoConfigURL"
With data: ""

Sets value: "ProxyEnable"
With data: "dword:00000001"

Sets value: "ProxyServer"
With data: "http=127.0.0.1:3128"

Sets value: "ProxySettingsPerUser"
With data: "dword:00000000"


In Internet Explorer control of the proxy settings have been removed. Notice the greyed out dialog and the notification "Some settings are managed by you system administrator."



In Chrome, the program disables the ability to remove extensions. Notice the phrase "Installed by enterprise policy." in the screenshot:



Sets automatic updates

The app creates a scheduled task, which looks for an update every 4 hours:





Analysis by Michael Johnson

Symptoms Standard symptoms

The following could indicate that you have this program on your PC:

  • You can't disable extensions in Chrome
  • You see ads that you didn't see before
  • You see the following icons on your PC:

Last update 27 June 2014

 

TOP

Malware :