Home / malwarePDF  

BrowserModifier:Win32/DefaultTab


First posted on 15 February 2019.
Source: Microsoft

Aliases :

BrowserModifier:Win32/DefaultTab is also known as Trojan.ADH.2, Adware.Plugin.48, DefaultTab.

Explanation :

Installation This unwanted software can create files on your PC, including: %ProgramFiles% DefaultTab %APPDATA% RoamingDefaultTab %APPDATA% RoamingMozillaFirefoxProfiles.defaultextensionsaddon@defaulttab.com.xpi GroupPolicyUserRegistry.pol %ALLUSERSPROFILE%
tuser.pol

It can also make various registry changes during its installation, including:

HKLMSOFTWAREClassesCLSID{7F6AFBF1-E065-4627-A2FD-810366367D01} HKLMSOFTWAREClassesCLSID{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A} HKLMSOFTWAREClassesDefaultTabBHO.DefaultTabBrowser HKLMSOFTWAREClassesDefaultTabBHO.DefaultTabBrowserActiveX HKLMSOFTWAREDefault Tab HKLMSOFTWAREDefaultTab HKLMSOFTWAREGoogleChromeExtensionskdidombaedgpfiiedeimiebkmbilgmlc HKLMSOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{B2D33ED6-EBBD-467C-BF6F-F175D9B51363} HKLMSOFTWAREMicrosoftInternet ExplorerLow RightsElevationPolicy{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77} HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerBrowser Helper Objects{7F6AFBF1-E065-4627-A2FD-810366367D01} HKLMSOFTWAREMicrosoftWindowsCurrentVersionExtPreApproved{7F6AFBF1-E065-4627-A2FD-810366367D01} HKLMSOFTWAREMicrosoftWindowsCurrentVersionExtPreApproved{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} HKLMSOFTWAREMicrosoftWindowsCurrentVersionUninstallDefaultTab HKLMSYSTEMCurrentControlSetservicesDefaultTabSearch HKLMSYSTEMCurrentControlSetservicesDefaultTabUpdate During installation you might see the following messages:     Payload Redirects your web browser

This unwanted software redirects your web searches to www.mysearchresults.com as shown below:

 

Stops you from changing your browser settings   This software can prevent you from disabling it through your web browser extension menu. The option to disable the extension can be greyed out as shown below:  

Connects to a remote host

We have seen this threat connect to the following remote hosts to download the software update file update.json: api.defaulttab.com using port 80 updates2.defaulttab.com using port 80

Analysis by Michael Johnson

Last update 15 February 2019

 

TOP

Malware :