Home / malwarePDF  

Win32/Miuref


First posted on 18 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Miuref.

Explanation :

Threat behavior

Installation

Win32/Miuref can be installed by other malware, such as Win32/Fareit. It can also get on your computer if you open a spam email that has an attachment with the name "invoice_.pdf.exe". We detect these spam emails as Trojan:Win32/Miuref.A.

It downloads an additional component, detected as Trojan:Win32/Miuref.B. It installs this component to %LOCALAPPDATA%\\ as a .dll file with a random name, for example %LOCALAPPDATA%\Arltworks\MozSvcs64.dll.

It also downloads another file that has the encrypted payload of the trojan. The file has the same name as the .dll file, but with one of the following extensions:

  • .dat
  • .idx
  • .lck
  • .txt


For example, MozSvcs64.idx.

It changes the registry so that the malware runs each time you log on to your PC:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: , for example, Arltworks
With data: "regsvr32.exe ", for example "regsvr32.exe %LOCALAPPDATA%\Arltworks\MozSvcs64.dll"

If you have Firefox or Chrome installed on your PC, Win32/Miuref also installs extensions with various names (such as "HomeGroup Task") for those browsers. We detect the extensions as Trojan:JS/Miuref.A and Trojan:JS/Miuref.B. It uses these extensions to perform its search-engine hijacking payload.

Payload

Downloads malware and displays ads

Win32/Miuref starts and the injects itself into one or more hidden Internet Explorer processes to perform hidden clicks. These clicks can lead to online advertisements.

We have also seen the hidden clicks used to download other malware such as Trojan:Win32/Tobfy.S.

Hijacks search engine results

The trojan can hijack and replace search engine results when you use Internet Explorer, Firefox or Chrome.

For Internet Explorer, the trojan connects to a remote server to get the redirection URLs.

For Firefox and Chrome, the trojan uses the extensions it has installed to redirect the search to another website. We have seen the extensions redirect searches to esearchpage.com and esearchpage.org.

Connects to a remote server

Win32/Miuref connects to a remote server to report the following information:

  • Machine GUID
  • System volume serial number
  • Computer name


The server varies, but we have seen it try to connect to 50.7.248.170.



Analysis by Shawn Wang

Symptoms

The following could indicate that you have this threat on your PC:

  • You are sent to websites that you didn't mean to go to, or your search engine results are not what you were expecting.
  • You see these entries or keys in your registry:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: , for example, Arltworks
    With data: "regsvr32.exe ", for example "regsvr32.exe %LOCALAPPDATA%\Arltworks\MozSvcs64.dll"

Last update 18 March 2014

 

TOP

Malware :