Home / malware

PDF

Trojan:Win32/Miuref

First posted on 03 December 2014.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Miuref.

Explanation :

Threat behavior

Installation

This threat can be downloaded directly from the Internet by imitating a legitimate software download. We have seen it use the following file names:

• BkgHC.exe
• far-cry-3-reggae.exe
• GDuoh.exe
• i0fqW.exe
• install_flashplayer12x32_mssa_aaa_aih.exe
• lemmings-vollversion-deutsch.exe
• ppc2.exe
• QJSg9.exe
• sgk-toan-lop-9.exe
• VOMdc.exe

It can also be installed by other malware, including the Fiesta exploit kit.

The malware installs itself to %LOCALAPPDATA%\\.exe. For example, we have seen it installed to the following locations:

• %LOCALAPPDATA% \Adworks\Vm3ig.exe
• %LOCALAPPDATA% \Afwdworks\jqvNe.exe
• %LOCALAPPDATA% \Ajfworks\tmp1019.exe
• %LOCALAPPDATA% \Alworks\T_RhS.exe
• %LOCALAPPDATA% \Apworks\tmp3D67.exe
• %LOCALAPPDATA% \AWworks\msiexec.exe
• %LOCALAPPDATA% \Edtion\vB0H6.exe
• %LOCALAPPDATA% \Efgtion\_y7LN.exe
• %LOCALAPPDATA% \Epjtion\creative-pci-software.exe
• %LOCALAPPDATA% \Extion\ONM0k.exe
• %LOCALAPPDATA% \Icxsoft\ppc2.exe
• %LOCALAPPDATA% \Ilzcsoft\ultrasn0w.exe
• %LOCALAPPDATA% \UQKmedia\asa-vpn-client.exe
• %LOCALAPPDATA% \YdPack\syhdajv.exe

It then installs its two main payloads, a click fraud and a click hijack component.

Click fraud component

This component is installed as two dynamic-link library (.dll) files to the following %LOCALAPPDATA%\\.dll. For example, we have seen it installed to the following locations:

• %LOCALAPPDATA% \Abfworks\FlashUtil.dll
• %LOCALAPPDATA% \Adqworks\bTraceShell90.dll
• %LOCALAPPDATA% \Agjcworks\dqqqitgcpokgp.dll
• %LOCALAPPDATA% \Apbworks\CNBWI3.DLL
• %LOCALAPPDATA% \ARworks\gdLibs80.dll
• %LOCALAPPDATA% \Asvcworks\maintenanceservice_installer.dll
• %LOCALAPPDATA% \DataMngr_Toolbar\ggCommsnt5.dll
• %LOCALAPPDATA% \Ecstion\EP0NMF7B.DLL
• %LOCALAPPDATA% \Ecstion\tjgnovqpb.dll
• %LOCALAPPDATA% \Ecxqtion\addonMouseDrw.dll
• %LOCALAPPDATA% \Edtion\CN3002.DLL
• %LOCALAPPDATA% \Efgtion\iDataSink.dll
• %LOCALAPPDATA% \Ektion\RWViewStructure.dll
• %LOCALAPPDATA% \Elrtion\DesktopMapCprt.dll
• %LOCALAPPDATA% \Elzxtion\halCfgSpi64.dll
• %LOCALAPPDATA% \Eption\Calendars.dll
• %LOCALAPPDATA% \Etstion\mdsmyxprtyz.dll
• %LOCALAPPDATA% \Ettion\AcShellExtension.dll
• %LOCALAPPDATA% \Evdtion\mDNSResponder.dll

It also downloads another file that contains the encrypted click fraud payload. This file has the same random name as the .dll file, but with one of the following extensions:

• .dat
• .idx
• .txt

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Owkqics"
With data: €œ%LOCALAPPDATA%\Owkqics\.exe€

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ovsdics"
With data: €œregsvr32.exe %LOCALAPPDATA%\Ovsdics\.dll€

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Atntworks"
With data: €œregsvr32.exe %LOCALAPPDATA%\Owkqics\.dll€

Click hijacking component

This component is installed as a browser plugin for the Chrome and Firefox web browsers. It creates the following files:

• Mozilla Firefox extensions:
• %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\chrome.manifest
• %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\components\MHTMLAsynchronousPluggable.js
• %APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\install.rdf
  
  
• Google Chrome extensions:
• %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\background.js
• %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\content.js
• %LOCALAPPDATA% \Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\manifest.json

Payload

Uses your PC for click fraud

This threat can use your PC for click fraud. It loads two malicious dynamic-link library (.dll) files by calling %LOCALAPPDATA%\\.dll.

It connects to a remote command and control server (C&C) to receive click fraud commands. We have seen it connect to:

• 85.25.116.

After receiving a click fraud commands from the C&C, the malware silently creates many Internet Explorer processes and injects malicious code into them to perform hidden click fraud.

These hidden processes can be seen in the Task Manager, as shown below:



Redirects your web browser for click hijacking

This threat can hijack your search engine results. When you search the Internet using the Chrome or Mozilla web browser the malicious plugin submits the search term to its C&C server and waits for a reply. The reply contains the redirection chain.

The threat targets specific search term key words, such as the following:

• Books
• Headphone
• Insurance
• Laptop
• Loans
• Pills
• poker
• Shoes
• work at home

We have seen searches with these key words redirect to these legitimate websites:

• amazon.com
• 7search.com

These websites can change at any time.



Analysis by Duc Nguyen

SymptomsThe following can indicate that you have this threat on your PC:

• You see these entries or keys in your registry:
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "Owkqics"
  With data: €œ%LOCALAPPDATA%\Owkqics\.exe€
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "Ovsdics"
  With data: €œregsvr32.exe %LOCALAPPDATA%\Ovsdics\.dll€
  
  In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Sets value: "Atntworks"
  With data: €œregsvr32.exe %LOCALAPPDATA%\Owkqics\.dll€
  
  
• 
  
  Your search results are redirected to a different website than expected
  
  
• 
  
  Your web searches take longer than usual
  
  
• 
  
  You see multiple instances of Internet Explorer running in Task Manager
  
  
  
  

Last update 03 December 2014

 

TOP