arrow_back
search
close

ADW_BROWSEFOX

October 06, 2016
 Modified by: Jimelle Monteser
 ALIASES:

Win32/BrowseFox.I application (NOD32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

However, as of this writing, the said sites are inaccessible.

  TECHNICAL DETAILS

File Size:

239,392 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

02 May 2014

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Autostart Technique

This adware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
InprocServer32
Default = "{malware path}\{malware filename}.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\InprocServer32
Default = "{malware path}\{malware filename}.dll"

Other System Modifications

This adware adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\Classes\
CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
InprocServer32

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
Programmable

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
TypeLib

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
Version

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
TypeLib

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
ProxyStubClsid

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
ProxyStubClsid32

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
TypeLib

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\0

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\0\win32

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\FLAGS

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\Version

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\TypeLib

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}

KEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66} HKEY_LOCAL_MACHINE\SOFTWARE\
Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
HELPDIR

It adds the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Default = {random}"

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Default = "Manager Class"

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
InprocServer32
ThreadingModel = "Apartment"

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
TypeLib
Default = "{random}"

HKEY_CLASSES_ROOT\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\
Version
Default = "1.0"

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Default = "IManager"

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
ProxyStubClsid
Default = "{random}"

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
ProxyStubClsid32
Default = "{random}"

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
TypeLib
Default = "{random}"

HKEY_CLASSES_ROOT\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\
TypeLib
Version = "1.0"

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Default = "IMdt"

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
ProxyStubClsid
Default = "{random}"

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
ProxyStubClsid32
Default = "{random}"

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
TypeLib
Default = "{random}"

HKEY_CLASSES_ROOT\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\
TypeLib
Version = "1.0"

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0
Default = "XTLSLib"

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\0\win32
Default = "{malware path}\{malware filename}.dll"

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\FLAGS
Default = "0"

HKEY_CLASSES_ROOT\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\
1.0\HELPDIR
Default = "{malware path}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Default = "Manager Class"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\TypeLib
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\Version
Default = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Default = "IManager"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\ProxyStubClsid
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\ProxyStubClsid32
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\TypeLib
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Default = "IMdt"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\ProxyStubClsid
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\ProxyStubClsid32
Default = {random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\TypeLib
Default = "{random}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0
Default = "XTLSLib"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
0\win32
Default = "{malware path}\{malware filename}.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
FLAGS
Default = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}\1.0\
HELPDIR
Default = "{malware path}"

Adware Routine

This adware connects to the following URL(s) to display ads on the affected system:

  • {BLOCKED}i.{BLOCKED}rweb.biz/rs

Other Details

However, as of this writing, the said sites are inaccessible.

NOTES:

It connects to the following URL to download a certificate:

  • www.download.windowsupdate.com/msdownload/update/v3/static/trusted/en/authrootseq.txt
  • http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5.crt

  SOLUTION

Minimum Scan Engine:

9.700

SSAPI PATTERN File:

1.498.02

SSAPI PATTERN Date:

02 Apr 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as ADW_BROWSEFOX

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CLASSES_ROOT\CLSID]
    • {1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
  • In HKEY_CLASSES_ROOT\CLSID
    • {5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
  • In HKEY_CLASSES_ROOT\Interface
    • {4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
  • In HKEY_CLASSES_ROOT\Interface
    • {FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
  • In HKEY_CLASSES_ROOT\TypeLib
    • {A2D733A7-73B0-4C6B-B0C7-06A432950B66}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {A2D733A7-73B0-4C6B-B0C7-06A432950B66}

Step 5

Restart in normal mode and scan your computer with your Trend Micro product for files detected as ADW_BROWSEFOX. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.