Home / malware Trojan:Win32/Miuref
First posted on 03 December 2014.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Miuref.
Explanation :
Threat behavior
Installation
This threat can be downloaded directly from the Internet by imitating a legitimate software download. We have seen it use the following file names:
- BkgHC.exe
- far-cry-3-reggae.exe
- GDuoh.exe
- i0fqW.exe
- install_flashplayer12x32_mssa_aaa_aih.exe
- lemmings-vollversion-deutsch.exe
- ppc2.exe
- QJSg9.exe
- sgk-toan-lop-9.exe
- VOMdc.exe
It can also be installed by other malware, including the Fiesta exploit kit.
The malware installs itself to %LOCALAPPDATA%\\ .exe. For example, we have seen it installed to the following locations:
- %LOCALAPPDATA% \Adworks\Vm3ig.exe
- %LOCALAPPDATA% \Afwdworks\jqvNe.exe
- %LOCALAPPDATA% \Ajfworks\tmp1019.exe
- %LOCALAPPDATA% \Alworks\T_RhS.exe
- %LOCALAPPDATA% \Apworks\tmp3D67.exe
- %LOCALAPPDATA% \AWworks\msiexec.exe
- %LOCALAPPDATA% \Edtion\vB0H6.exe
- %LOCALAPPDATA% \Efgtion\_y7LN.exe
- %LOCALAPPDATA% \Epjtion\creative-pci-software.exe
- %LOCALAPPDATA% \Extion\ONM0k.exe
- %LOCALAPPDATA% \Icxsoft\ppc2.exe
- %LOCALAPPDATA% \Ilzcsoft\ultrasn0w.exe
- %LOCALAPPDATA% \UQKmedia\asa-vpn-client.exe
- %LOCALAPPDATA% \YdPack\syhdajv.exe
It then installs its two main payloads, a click fraud and a click hijack component.
Click fraud component
This component is installed as two dynamic-link library (.dll) files to the following %LOCALAPPDATA%\\ .dll. For example, we have seen it installed to the following locations:
- %LOCALAPPDATA% \Abfworks\FlashUtil.dll
- %LOCALAPPDATA% \Adqworks\bTraceShell90.dll
- %LOCALAPPDATA% \Agjcworks\dqqqitgcpokgp.dll
- %LOCALAPPDATA% \Apbworks\CNBWI3.DLL
- %LOCALAPPDATA% \ARworks\gdLibs80.dll
- %LOCALAPPDATA% \Asvcworks\maintenanceservice_installer.dll
- %LOCALAPPDATA% \DataMngr_Toolbar\ggCommsnt5.dll
- %LOCALAPPDATA% \Ecstion\EP0NMF7B.DLL
- %LOCALAPPDATA% \Ecstion\tjgnovqpb.dll
- %LOCALAPPDATA% \Ecxqtion\addonMouseDrw.dll
- %LOCALAPPDATA% \Edtion\CN3002.DLL
- %LOCALAPPDATA% \Efgtion\iDataSink.dll
- %LOCALAPPDATA% \Ektion\RWViewStructure.dll
- %LOCALAPPDATA% \Elrtion\DesktopMapCprt.dll
- %LOCALAPPDATA% \Elzxtion\halCfgSpi64.dll
- %LOCALAPPDATA% \Eption\Calendars.dll
- %LOCALAPPDATA% \Etstion\mdsmyxprtyz.dll
- %LOCALAPPDATA% \Ettion\AcShellExtension.dll
- %LOCALAPPDATA% \Evdtion\mDNSResponder.dll
It also downloads another file that contains the encrypted click fraud payload. This file has the same random name as the .dll file, but with one of the following extensions:
- .dat
- .idx
- .txt
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Owkqics"
With data: €œ%LOCALAPPDATA%\Owkqics\.exe€Â
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ovsdics"
With data: €œregsvr32.exe %LOCALAPPDATA%\Ovsdics\.dll€Â
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Atntworks"
With data: €œregsvr32.exe %LOCALAPPDATA%\Owkqics\.dll€Â
Click hijacking component
This component is installed as a browser plugin for the Chrome and Firefox web browsers. It creates the following files:
- Mozilla Firefox extensions:
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\chrome.manifest
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\components\MHTMLAsynchronousPluggable.js
- %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\install.rdf
- Google Chrome extensions:
- %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\background.js
- %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\content.js
- %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\manifest.json
Payload
Uses your PC for click fraud
This threat can use your PC for click fraud. It loads two malicious dynamic-link library (.dll) files by calling %LOCALAPPDATA%\\ .dll.
It connects to a remote command and control server (C&C) to receive click fraud commands. We have seen it connect to:
- 85.25.116.
After receiving a click fraud commands from the C&C, the malware silently creates many Internet Explorer processes and injects malicious code into them to perform hidden click fraud.
These hidden processes can be seen in the Task Manager, as shown below:
Redirects your web browser for click hijacking
This threat can hijack your search engine results. When you search the Internet using the Chrome or Mozilla web browser the malicious plugin submits the search term to its C&C server and waits for a reply. The reply contains the redirection chain.
The threat targets specific search term key words, such as the following:
- Books
- Headphone
- Insurance
- Laptop
- Loans
- Pills
- poker
- Shoes
- work at home
We have seen searches with these key words redirect to these legitimate websites:
- amazon.com
- 7search.com
These websites can change at any time.
Analysis by Duc Nguyen
SymptomsThe following can indicate that you have this threat on your PC:
- You see these entries or keys in your registry:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Owkqics"
With data: €œ%LOCALAPPDATA%\Owkqics\.exe€Â
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ovsdics"
With data: €œregsvr32.exe %LOCALAPPDATA%\Ovsdics\.dll€Â
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Atntworks"
With data: €œregsvr32.exe %LOCALAPPDATA%\Owkqics\.dll€Â
Your search results are redirected to a different website than expected
Your web searches take longer than usual
You see multiple instances of Internet Explorer running in Task Manager
Last update 03 December 2014