Home / malwarePDF  

BrowserModifier:Win32/Heazycrome


First posted on 27 October 2016.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Heazycrome.

Explanation :

Installation

This browser modifier can be installed on your PC when you download other software from third-party websites.

Behavior

Modifies Browser Shortcuts

This threat uses Windows Management Instrumentation (WMI) script to modify shortcut files of popular web browsers.

The modified browser shortcut files point to any of the following websites:

  • 9o0gle.com
  • jyhjyy.top
  • navigation.iwatchavi.com
  • navsmart.info
  • yeabests.cc


It does this modification so that when you launch the browser using the modified shortcut file, the browser opens any of the websites above.

The following is a screenshot of one of the websites:

It searches for *.LNK files in the following folders:
  • C:\ProgramData\Microsoft\Windows\Start Menu
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\\AppData\Roaming
  • C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
  • C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu
  • C:\Users\\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
  • C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu
  • C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
  • C:\Users\\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\\Desktop
  • C:\Users\Public\Desktop


If it finds shortcut files for any of the following browsers, it proceeds to modify the short files:
  • 360 browsers
  • Baidu browser
  • Google Chrome
  • Internet Explorer
  • LieBao browser
  • Maxthon
  • Mozilla Firefox
  • Opera
  • QQ browser
  • Safari
  • Sogou Explorer
  • Tencent Traveler
  • TheWorld browser


For example, the following is a screenshot of the properties of a modified Internet Explorer shortcut:

Modified browser shortcuts are detected as BrowserModifier:Win32/Heazycrome!blnk.

Adds Browser Extension

Some versions of this threat add a Google Chrome extension named EasyChrome:

Last update 27 October 2016

 

TOP

Malware :