Home / malware BrowserModifier:Win32/Xeelyak
First posted on 06 October 2017.
Source: MicrosoftAliases :
There are no other names known for BrowserModifier:Win32/Xeelyak.
Explanation :
Installation
This threat is usually installed through bundlers and other unwanted software like BrowserModifier:Win32/Sasquor and BrowserModifier:Win32/Suptab.
It usually calls itself as 'Yet Another Cleaner' when installed in your PC.
Prevalent variants of this browser modifier usually installs itself in %PROGRAM_FILES%. It installs itself as an internet browser toolbar or search provider: %PROGRAM_FILES% \v9Soft (v9Soft is the browser toolbar/search extension installed) Later variants installs itself as a security tool in infected systems: %PROGRAM_FILES% \Elex-tech Added files
When installed, this threat adds the following files: %PROGRAM_FILES% \v9Soft\v9sof.exe %PROGRAM_FILES% \Google\Chrome\User Data\Default\Extensions\serach.crx %PROGRAM_FILES% \Google\Chrome\User Data\Default\Extensions\v9-toolbar.crx
%DESKTOPDIRECTORY%\Internet Explorer.lnk
%SYSTEM%\v9-toolbar.dll
%SYSTEM% \v9loader.dll
%ProgramData%\Microsoft\Windows\Start Menu\Programs\YAC\Depth clean up junk files.lnk
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC\uninstall.lnk
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC\YAC Desktop.lnk
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC\YAC.lnk
%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Depth clean up junk files.lnk
%AppData% \Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\YAC Desktop.lnk
%AppData% \Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\YAC.lnk The added files are installed in the following directories:
Added directories
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\YAC
%TEMP%\iSafeRightKeyScan Added registry keys
It also adds the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Elex-tech\YAC
Payload
Drops modified Internet Explorer link
This threat drops modified Internet Explorer link pointing to its affiliate websites.
Modifies default homepage
This threat also changes the default homepage without your consent, by adding the following registry entries:
In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: Default_Page_URL
With data: "www..com/sof/sof_1506913787_429407"
Adds browser extension and toolbars
This threat also adds Google Chrome extensions without your consent:
It also adds browser extensions and search providers for Internet Explorer by adding the following registry entries:
In subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Sets value: URL
With data: "http://www..com.br/cse?q={searchTerms}&cx=partner-pub- &tbm=&ie=UTF-8#gsc.tab=0&gsc.q={searchTerms}"
In subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Sets value: DisplayName
With data: "v9"
Disables Browser Security Settings
This threat also disables the Phishing Filter
on old version of Internet Explorer
In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: EnabledV9
With data: DWORD:00000000
Additional information
Displays misleading security information
Aside from the setting changes that this threat does without your consent, Yet Another Cleaner, is also known for displaying misleading security information and annoying pop-up windows.
Analysis by Zarestel FerrerLast update 06 October 2017
