Windows Trojan that fakes Chrome browser neutralized

Dr. Web, an IT security solution vendors have discovered a new Trojan  virus meant for Windows system called Trojan.Mutabaha.1, this Trojan is aimed at misleading the users by installing fake Chrome browsers and also poses ability to replace advertisements on the browsed web pages .

Windows_Trojan
The Trojan capable of bypassing the Windows protection system- Account Control (UAC) , was first published on 15 August  and  found in Doctor Web’s laboratory which was named as Trojan.Mutabaha.1 after three days .

This Trojan technology launches the malware programs by relying on the system registry branch which contains the characteristic line with the project’s name:

F:\project\C++Project\installer_chrome\out\Release\setup_online_without_uac.pdb

This is how the fake Chrome browsers are installed by the Windows Trojan.

The malware dropper first saves the installer to disk and runs BAT file along with the installer, simultaneously.The installer then receives a configuration file by connecting to the command and control server. The configuration file received contains the address for downloading the browser.

After downloading the browser named Outfire which is a special series of Google Chrome, it registers itself in Windows System registry while installing and creates tasks in Windows Task Manager to load and install updates. Also, the installed Google Chrome browser is modified by Outfire by copying current Chrome user account information into a new browser and also creating new shortcuts or even removing them.

Finally, the Trojan.Mutabaha.1 searches for the fake browsers by creating its name with help of  combinational value taken from two glossaries which amount to the total of 56 variants. On finding the browser, it kills the processes of that browsers by modifying records in Windows system registry and removing the record from the Task Manager.

The home page of the browser cannot be modified on successful completion if the installation in the browser’s settings. Also, the fake browsers uses its own search engine which later can be changed in the application settings  and also it could actually replace advertisements on web pages with fixed extension, reports Dr Web.

This Windows Trojan .Mutabaha.1 program was successfully discovered and removed by DR.Web specialists and it came as a huge sigh of relief that the malicious program has been disarmed and is no more poses threat.

Posted by with Tags

Mahit Huilgol has been using Windows on Mobile since the Windows 6. Ever since than i have been following Microsoft developments from close quarters and love writing about it. Eagerly waiting for the time when Windows Phone will be the most preferred OS in the World.