Home / malwarePDF  

BrowserModifier:Win32/Foxiebro


First posted on 18 February 2017.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Foxiebro.

Explanation :

Installation


This threat may be installed as any of several programs, including:

  • AdvanceMark
  • AppBud
  • Between Lines
  • BrowseFox
  • DoughGo
  • Fragile Fixer
  • GrooveDock
  • Hold Page
  • Jotzey
  • KingBrowse
  • Metal Maker
  • nettock
  • Newer Version
  • Primary Result
  • ResultsBay
  • Screen Flip
  • Search Vortex
  • Special Box
  • TowerTilt
  • Web Amplified
  • wiseenhance


The following screenshots are sample installation dialogue boxes:



It adds files in Program Files using the application name. For example:

%ProgramFiles%\BrowseFox

It adds registry entries as part of its installation. For example:

In subkey: HKEY_CURRENT_USER\Software\BrowseFox
Sets value: "is"
With data: "def_BrowseFox"

In subkey: HKEY_CURRENT_USER\Software\BrowseFox
Sets value: "iid"
With data: "def_BrowseFox"

In subkey: HKEY_CURRENT_USER\Software\BrowseFox
Sets value: "id"
With data: "2016-10-13 22:59:49"

In subkey: HKEY_CURRENT_USER\Software\BrowseFox\Chrome
Sets value: "ug"
With data: "8AA62582-14DB-4C6B-A802-02E538E343D2"

In subkey: HKEY_CURRENT_USER\Software\BrowseFox\Firefox
Sets value: "ug"
With data: "3388BDA9-DA3C-4D82-967C-056CC6C15F8A"

In subkey: HKEY_CURRENT_USER\Software\BrowseFox\Internet Explorer
Sets value: "ug"
With data: "13A3BF52-2EFB-46B8-87FF-EBD39C0EBE54"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\BrowseFox

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\BrowseFox\Chrome
Sets value: "sgc"
With data: "false"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\BrowseFox\Firefox
Sets value: "sff"
With data: "false"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\BrowseFox\Internet Explorer
Sets value: "sie"
With data: "false"

It adds an extension to browsers, including Firefox, Google Chrome, and Microsoft Internet Explorer. For example, in Internet Explorer it adds the following:



It does this by creating registry keys and entries:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2}
Sets value: @
With data: "BrowseFox"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2}\InprocServer32
Sets value: @
With data: "C:\Program Files\BrowseFox\BrowseFoxBHO.dll"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2}\InprocServer32
Sets value: "ThreadingModel"
With data: "Apartment"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2}\Programmable

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2}\TypeLib
Sets value: @
With data: "{2e8378af-49ad-4a72-bb4b-830b9153d011}"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9507101-e464-4b3b-a4cb-291aaedd94f2}\Version
Sets value: @
With data: "1.0"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2E8378AF-49AD-4A72-BB4B-830B9153D011}

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2E8378AF-49AD-4A72-BB4B-830B9153D011}\1.0
Sets value: @
With data: "BrowseFoxIEClientLib"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2E8378AF-49AD-4A72-BB4B-830B9153D011}\1.0\0

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2E8378AF-49AD-4A72-BB4B-830B9153D011}\1.0\0\win32
Sets value: @
With data: "C:\Program Files\BrowseFox\BrowseFoxBHO.dll"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2E8378AF-49AD-4A72-BB4B-830B9153D011}\1.0\FLAGS
Sets value: @
With data: "0"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{2E8378AF-49AD-4A72-BB4B-830B9153D011}\1.0\HELPDIR
Sets value: @
With data: "C:\Program Files\BrowseFox"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB9817CA-9B43-41EB-8706-44847957338D}
Sets value: @
With data: "IBrowseFoxBHO"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB9817CA-9B43-41EB-8706-44847957338D}\ProxyStubClsid
Sets value: @
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB9817CA-9B43-41EB-8706-44847957338D}\ProxyStubClsid32
Sets value: @
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB9817CA-9B43-41EB-8706-44847957338D}\TypeLib
Sets value: @
With data: "{2E8378AF-49AD-4A72-BB4B-830B9153D011}"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BB9817CA-9B43-41EB-8706-44847957338D}\TypeLib
Sets value: "Version"
With data: "1.0"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9507101-e464-4b3b-a4cb-291aaedd94f2}
Sets value: @
With data: "BrowseFox"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b9507101-e464-4b3b-a4cb-291aaedd94f2}
Sets value: "NoExplorer"
With data: dword:00000001

It adds a service that automatically runs at startup. The service cannot be stopped:



It does this by creating the following registry entries:

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "Type"
With data: dword:00000010

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "Start"
With data: dword:00000002

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "ErrorControl"
With data: dword:00000001

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "ImagePath"
With data: "C:\Program Files\BrowseFox\updateBrowseFox.exe"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "DisplayName"
With data: "Update BrowseFox"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "ObjectName"
With data: "LocalSystem"

In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Update BrowseFox
Sets value: "FailureActions"
With data: hex:0a,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00,01,00,00,00,88,13,00,00

It also adds an uninstall entry, which can be used to remove this software from your computer. The uinstall entry uses the product name, for example:



It does this by creating registry entries:

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowseFox
Sets value: "DisplayName"
With data: "BrowseFox"

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowseFox
Sets value: "UninstallString"
With data: "\"C:\Program Files\BrowseFox\BrowseFoxUninstall.exe\""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowseFox
Sets value: "NoModify"
With data: dword:00000001

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BrowseFox
Sets value: "NoRepair"
With data: dword:00000001

Payload

Displays ads

This threat displays adds. It does this in three ways.

It can inject ads to search results pages. For example:

It can also modify webpages to insert ads. For example:

It also opens new tabs for advertisements. For example:





Analysis by James Patrick Dee

Last update 18 February 2017

 

TOP

Malware :