Home / malwarePDF  

BrowserModifier:Win32/Diplugem


First posted on 31 August 2015.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Diplugem.

Explanation :

Threat behavior

Installation

This threat can create the following files on your PC:

  • \\.exe, for example \8e57610c-745e-de5b-8e57-7610c7458431\sound forge Audio studio 10.0 keygen.exe
  • \\.dat, for example \8e57610c-745e-de5b-8e57-7610c7458431\sound forge Audio studio 10.0 keygen.dat
  • %ProgramData% \\.dat, for example %ProgramData%\Avira Browser Safety\Avira Browser Safety.dat
  • %ProgramData% \\.dll, for example%ProgramData%\CutThePrice\dnwbF9wuEopox8.dll
  • %ProgramData% \\.tlb, for example%ProgramData%\CutThePrice\dnwbF9wuEopox8.tlb
  • %ProgramData% \\.exe, for example%ProgramData%\CCuttThEPrice\CCuttThEPrice.exe
  • %ProgramData% \\.x64.dll, for example%ProgramData%\dnwbF9wuEopox8.x64.dll


The is usually related to discounts, sales, and advertisement blocking. For example we have seen this threat using the following application names:

  • AllSaver
  • CutThePrice
  • PriceChop
  • SaverExtension
  • UniSales
  • YouTubeAdBlocker


It can also use misspelled versions of the above names, for example AlllSSavEr or SaverExtEonsiioon. We have also seen random application names, or names that imitate normal applications, such as:

  • 8y1ONHho1IokJE
  • Attachment Icons for Gmail
  • dnwbF9wuEopox8
  • Enforceware
  • LiveWire
  • WebTop Quick login tool


We have seen this threat create the following registry entries:

In subkey: HKCU\Software\WebApp\Styles
sets value: MaxScriptStatements
with data: dword:ffffffff

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
sets value: (Default)
with data: "ITinyJSObject"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32
sets value: (Default)
with data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: (Default)
With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

In subkey: HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: Version
With data: "1.0"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0
Sets value: (Default)
With data: "JSIELib"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32
Sets value: (Default)
With data: "%TEMP%\\temp\.exe", for example "%TEMP%\E8aC3A04e199\temp\sound forge Audio studio 10.0 keygen.exe"

In subkey: HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS
Sets value: (Default)
With data: "0"

It creates the following scheduled task to run a copy of the malware:



Alternatively, it can add the following startup link:

  • \.lnk, for example \sound forge Audio studio 10.0 keygen.lnk


Behavior

Shows you online advertisements

This threat can inject additional advertisements into your web search results, for example:

In Bing:



In Google:



It can also show you extra advertisements as you browse the web, for example:





Installs a browser extension

This threat can install web browser extensions without asking for your consent. In Internet Explorer it also limits your ability to disable or remove the added browser extension. Below are examples of the extensions added by this threat:

Internet Explorer:



Google Chrome:



It creates uninstaller entries for the added browser extensions. It sets the installation date to one year in the past. An example is shown below:



Modifies Google Chrome component files

We have also seen variants of this BrowserModifier modify the Chrome component file chrome.dll to load the file GoogleUpdateHelper.dll. This file installs/updates Google Chrome extensions and is detected as BrowserModifier:Win32/Diplugem.

It then disables GoogleChrome update to make sure the modified component file won't be restored or updated.



Analysis by James Dee

Symptoms

The following can indicate that you have this threat on your PC:

  • You see these entries or keys in your registry:


In subkey: HKEY_CURRENT_USER\Software\WebApp\Styles
sets value: MaxScriptStatements
with data: dword:ffffffff

In subkey: HKEY_CURRENT_USER\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
sets value: (Default)
with data: "ITinyJSObject"

In subkey: HKEY_CURRENT_USER\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32
sets value: (Default)
with data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKEY_CURRENT_USER\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: (Default)
With data: "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

In subkey: HKEY_CURRENT_USER\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib
Sets value: Version
With data: "1.0"

In subkey: HKEY_CURRENT_USER\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0
Sets value: (Default)
With data: "JSIELib"

In subkey: HKEY_CURRENT_USER\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32
Sets value: (Default)
With data: "%TEMP%\\temp\.exe", for example "%TEMP%\E8aC3A04e199\temp\sound forge Audio studio 10.0 keygen.exe"

In subkey: HKEY_CURRENT_USER\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS
Sets value: (Default)
With data: "0"

Last update 31 August 2015

 

TOP

Malware :