Home / malware Win32/Rotbrow
First posted on 26 October 2013.
Source: MicrosoftAliases :
There are no other names known for Win32/Rotbrow.
Explanation :
Threat behavior
Installation
Win32/Rotbrow installs itself in a folder under <commonappdata>, for example:
- <commonappdata>\BitGuard\2.6.1673.238\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}
- <commonappdata>\BitGuard\2.6.1694.246\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}
- <commonappdata>\BrowserDefender\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}
- <commonappdata>\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}
The family consists of multiple components, whose file names vary from one version to another. We have seen variants use the following file names:
- BitGuard.exe (sometimes called BrowserProtect.exe)
- BitGuard.dll (sometimes called BrowserProtect.dll)
- bprotector.xpi (a Firefox extension)
- BrowserProtect.crx (a Google Chrome extension, sometimes called browsemngr.crx)
It installs itself as a service so that it runs each time you start your PC.
The service name is usually bProtector with the description "Your browser protector service".
It may also create a scheduled task that runs once every minute to start this service if it has stopped.
Payload
Installs other files, including malware
Many instances of the main Win32/Rotbrow executable contain another executable in an encrypted resource, which they decrypt to the %TEMP% folder, for example %TEMP%\setup_fsu_cid.exe.
The trojan then runs setup_fsu_cid.exe, which is an installer for a program called FileScout.
In many cases, this installer also contains Win32/Sefnit, which it installs silently alongside FileScout.
Analysis by Hamish O'Dea
Symptoms
Alerts from your security software may be the only symptom.
Last update 26 October 2013
