Home / malwarePDF  

BrowserModifier:Win32/Troboxi.A


First posted on 13 September 2012.
Source: Microsoft

Aliases :

BrowserModifier:Win32/Troboxi.A is also known as Trojan.StartPage!ZUsZL/8282g (VirusBuster), Trojan horse Startpage.RBZ (AVG), Trojan.StartPage.45731 (Dr.Web), Trojan.Win32.StartPage.atuq (Kaspersky), Mal/DfCheMan-A (Sophos), Trojan.StartPage (Symantec).

Explanation :



BrowserModifier:Win32/Troboxi.A changes the default search engine and home page of Internet Explorer, Mozilla Firefox, and Google Chrome. It also opens a UDP port that may allow the malware to send and receive information to a remote host.



Payload

Changes browser settings

BrowserModifier:Win32/Troboxi.A changes the Internet Explorer home page by changing the following registry entry:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: "Start Page"
With data: "http://kurs.ru/index8.html"

It also changes the default search engine used in Internet Explorer to a malware-defined value:

In subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{GUID}
Sets value: "DisplayName"
With data: "GigaBase"
With data: "http://www.gigabase.ru/search?q={searchTerms}&clid=1"

If you have Mozilla Firefox installed, it does the same for your Firefox settings by editing the following files:

  • %APPDATA%\Mozilla\Firefox\Profiles\<8 random characters>.default\user.js
  • %APPDATA%\Mozilla\Firefox\Profiles\<8 random characters>.default\prefs.js


It adds the following lines:

In "user.js":

user_pref("browser.search.defaulturl", "http://www.gigabase.ru/search?clid=1&q=");
user_pref("keyword.URL", "http://www.gigabase.ru/search?clid=1&q=");

In "prefs.js":

user_pref("browser.startup.homepage", "http://kurs.ru/index8.html");

If you have Google Chrome installed, it does the same for your Chrome settings by editing the following file:

  • %APPDATA%\Google\Chrome\User Data\Default\Preferences


It adds the following lines in your Preferences file:

"homepage": "http://kurs.ru/index8.html",
"exited_cleanly": false,

Connects to a remote server

BrowserModifier:Win32/Troboxi.A connects to the server "176.9.157.143" to report that it has successfully infected your computer.

It also opens a hidden Internet Explorer window and opens a random UDP port to send and receive information; in the wild, we have observed the malware downloading an updated version of itself.



Analysis by Ferdinand Plazo

Last update 13 September 2012

 

TOP

Malware :

Family: