Home / malware BrowserModifier:Win32/DefaultTab
First posted on 23 December 2014.
Source: MicrosoftAliases :
There are no other names known for BrowserModifier:Win32/DefaultTab.
Explanation :
Threat behavior
Installation
This unwanted software can create files on your PC, including:
- %ProgramFiles% \DefaultTab
- %APPDATA% \Roaming\DefaultTab
- %APPDATA% \Roaming\Mozilla\Firefox\Profiles\
.default\extensions\addon@defaulttab.com.xpi \GroupPolicy\User\Registry.pol - %ALLUSERSPROFILE% \ntuser.pol
It can also make various registry changes during its installation, including:
During installation you might see the following messages:
- HKLM\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}
- HKLM\SOFTWARE\Classes\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}
- HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
- HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX HKLM\SOFTWARE\Default Tab
- HKLM\SOFTWARE\DefaultTab
- HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363}
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
- HKLM\SYSTEM\CurrentControlSet\services\DefaultTabSearch
- HKLM\SYSTEM\CurrentControlSet\services\DefaultTabUpdate
Payload
Redirects your web browser
This unwanted software redirects your web searches to www.mysearchresults.com as shown below:
Stops you from changing your browser settings
This software can prevent you from disabling it through your web browser extension menu. The option to disable the extension can be greyed out as shown below:
Connects to a remote host
We have seen this threat connect to the following remote hosts to download the software update file update.json:
- updates2.defaulttab.com using port 80
- api.defaulttab.com using port 80
Analysis by Michael Johnson
Symptoms
The following can indicate that you have this threat on your PC:
You see these files:
- %ProgramFiles% \DefaultTab
- %APPDATA% \Roaming\DefaultTab
- %APPDATA% \Roaming\Mozilla\Firefox\Profiles\
.default\extensions\addon@defaulttab.com.xpi \GroupPolicy\User\Registry.pol - %ALLUSERSPROFILE% \ntuser.pol
- You see registry modifications such as:
- HKLM\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}
- HKLM\SOFTWARE\Classes\CLSID\{A1E28287-1A31-4b0f-8D05-AA8C465D3C5A}
- HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser
- HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX HKLM\SOFTWARE\Default Tab
- HKLM\SOFTWARE\DefaultTab
- HKLM\SOFTWARE\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2D33ED6-EBBD-467C-BF6F-F175D9B51363}
- HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BAD84EE2-624D-4e7c-A8BB-41EFD720FD77}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7F6AFBF1-E065-4627-A2FD-810366367D01}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefaultTab
- HKLM\SYSTEM\CurrentControlSet\services\DefaultTabSearch
- HKLM\SYSTEM\CurrentControlSet\services\DefaultTabUpda
- Your default web browser search has changed:
Last update 23 December 2014