Home / malware

PDF

BrowserModifier:Win32/Smudplu

First posted on 31 October 2019.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Smudplu.

Explanation :

Installation This browser modifier can be installed on your PC when you download other software from third-party websites.   It can install the following file on your PC: %CommonProgramFiles% GoobzoGBUpdatePlussmci64.dll

The malware can also create the following registry entries:

In subkey: HKLMSYSTEMCurrentControlSetservicesSMUpdPlus
Sets value: "Search Module Plus Update"
With data: "%CommonProgramFiles%GoobzoGBUpdatePlussmu.exe /service"

In subkey: HKLMSYSTEMCurrentControlSetservicesSMUpdd
Sets value: "Search Module Plus UpdateD"
With data: "%CommonProgramFiles%GoobzoGBUpdatePlussmw.sys"

It creates the following scheduled task:

SMW_UpdateTask_Time_323234393733303630372d3437415a556c2a3223346c41 Behavior Changes your default search provider

This program injects a DLL into your web browser to change the default search provider without adequate consent.

We have seen it inject smci32.dll into 32-bit browser processes, and smci64.dll into 64-bit browser processes.

It can change the search provider in the following web browsers:

Internet Explorer Google Chrome

Find out more about how and why we identify unwanted software.

Analysis by Hamish O'Dea

Last update 31 October 2019

 

TOP