Security home

 

Home / malwarePDF  

BrowserModifier:Win32/Xeelyak


First posted on 06 October 2017.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Xeelyak.

Explanation :

Installation

This threat is usually installed through bundlers and other unwanted software like BrowserModifier:Win32/Sasquor and BrowserModifier:Win32/Suptab.

It usually calls itself as 'Yet Another Cleaner' when installed in your PC.



Prevalent variants of this browser modifier usually installs itself in %PROGRAM_FILES%. It installs itself as an internet browser toolbar or search provider: %PROGRAM_FILES% \v9Soft (v9Soft is the browser toolbar/search extension installed) Later variants installs itself as a security tool in infected systems: %PROGRAM_FILES% \Elex-tech Added files
When installed, this threat adds the following files: %PROGRAM_FILES% \v9Soft\v9sof.exe %PROGRAM_FILES% \Google\Chrome\User Data\Default\Extensions\serach.crx %PROGRAM_FILES% \Google\Chrome\User Data\Default\Extensions\v9-toolbar.crx
%DESKTOPDIRECTORY%\Internet Explorer.lnk
%SYSTEM%\v9-toolbar.dll
%SYSTEM% \v9loader.dll
%ProgramData%\Microsoft\Windows\Start Menu\Programs\YAC\Depth clean up junk files.lnk
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC\uninstall.lnk
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC\YAC Desktop.lnk
%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC\YAC.lnk
%AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Depth clean up junk files.lnk
%AppData% \Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\YAC Desktop.lnk
%AppData% \Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\YAC.lnk The added files are installed in the following directories:

Added directories

%ProgramData% \Microsoft\Windows\Start Menu\Programs\YAC
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\YAC
%TEMP%\iSafeRightKeyScan Added registry keys

It also adds the following registry keys
HKEY_LOCAL_MACHINE\SOFTWARE\Elex-tech\YAC



Payload

Drops modified Internet Explorer link

This threat drops modified Internet Explorer link pointing to its affiliate websites.

Modifies default homepage

This threat also changes the default homepage without your consent, by adding the following registry entries:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Sets value: Default_Page_URL
With data: "www..com/sof/sof_1506913787_429407"





Adds browser extension and toolbars

This threat also adds Google Chrome extensions without your consent:




It also adds browser extensions and search providers for Internet Explorer by adding the following registry entries:



In subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Sets value: URL
With data: "http://www..com.br/cse?q={searchTerms}&cx=partner-pub-&tbm=&ie=UTF-8#gsc.tab=0&gsc.q={searchTerms}"

In subkey: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Sets value: DisplayName
With data: "v9"







Disables Browser Security Settings


This threat also disables the Phishing Filter
on old version of Internet Explorer

In subkey: HKCU\Software\Microsoft\Internet Explorer\PhishingFilter
Sets value: EnabledV9
With data: DWORD:00000000



Additional information


Displays misleading security information

Aside from the setting changes that this threat does without your consent, Yet Another Cleaner, is also known for displaying misleading security information and annoying pop-up windows.





Analysis by Zarestel Ferrer

Last update 06 October 2017

 

TOP

Malware :