Dr. Web, an IT security solution vendors have discovered a new Trojan virus meant for Windows system called Trojan.Mutabaha.1, this Trojan is aimed at misleading the users by installing fake Chrome browsers and also poses ability to replace advertisements on the browsed web pages .
The Trojan capable of bypassing the Windows protection system- Account Control (UAC) , was first published on 15 August and found in Doctor Web’s laboratory which was named as Trojan.Mutabaha.1 after three days .
This Trojan technology launches the malware programs by relying on the system registry branch which contains the characteristic line with the project’s name:
F:\project\C++Project\installer_chrome\out\Release\setup_online_without_uac.pdb
This is how the fake Chrome browsers are installed by the Windows Trojan.
The malware dropper first saves the installer to disk and runs BAT file along with the installer, simultaneously.The installer then receives a configuration file by connecting to the command and control server. The configuration file received contains the address for downloading the browser.
After downloading the browser named Outfire which is a special series of Google Chrome, it registers itself in Windows System registry while installing and creates tasks in Windows Task Manager to load and install updates. Also, the installed Google Chrome browser is modified by Outfire by copying current Chrome user account information into a new browser and also creating new shortcuts or even removing them.
Finally, the Trojan.Mutabaha.1 searches for the fake browsers by creating its name with help of combinational value taken from two glossaries which amount to the total of 56 variants. On finding the browser, it kills the processes of that browsers by modifying records in Windows system registry and removing the record from the Task Manager.
The home page of the browser cannot be modified on successful completion if the installation in the browser’s settings. Also, the fake browsers uses its own search engine which later can be changed in the application settings and also it could actually replace advertisements on web pages with fixed extension, reports Dr Web.
This Windows Trojan .Mutabaha.1 program was successfully discovered and removed by DR.Web specialists and it came as a huge sigh of relief that the malicious program has been disarmed and is no more poses threat.
