virus that changes home page

Discuss whatever you like here! ( ...that's not spam!)

Moderators: Support Staff², Support Staff, AvantGuard, Developer

Post Reply
User avatar
AXEMAN
Avantic Elite
Avantic Elite
Posts: 1606
Joined: Thu Jan 24, 2008 12:55 am
Windows Version: WIN 7 64 BIT
Avant Version: THE LATEST
IE Version: 9

virus that changes home page

Post by AXEMAN » Fri Mar 18, 2011 10:38 pm

Symantec recently discovered an interesting Trojan horse that changes the home page of Internet Explorer and redirects traffic from certain domains to this page.

Normally this wouldn’t be out of the ordinary, but rather than use their own Trojan code, the malware authors have chosen a different way to build their malicious package. Utilizing a component of KingSoft Internet Security, they have built a package consisting of the KingSoft WebShield browser protection software. The package contains configuration files that are crafted in such a way that allows KingSoft WebShield to perform correctly, but also allows the malware authors to use a real browser protection package instead of customized Trojan code.

The Trojan is packed in an AutoIT package. Specifically, this package consists of the following Kingsoft WebShield and support components:

User avatar
AXEMAN
Avantic Elite
Avantic Elite
Posts: 1606
Joined: Thu Jan 24, 2008 12:55 am
Windows Version: WIN 7 64 BIT
Avant Version: THE LATEST
IE Version: 9

Re: virus that changes home page

Post by AXEMAN » Fri Mar 18, 2011 10:41 pm

part 2 he Trojan is packed in an AutoIT package. Specifically, this package consists of the following Kingsoft WebShield and support components:

•kswbc.dll
•kswebshield.dll
•KSWebShield.exe
•kwssp.dll
•kwsui.dll

All of these files are intact and are digitally signed by "Zhuhai Kingsoft Software Co. Ltd". They are normally distributed as part of a previous version of the Kingsoft Internet Security package, which is designed as an anti-phising/browser protection software application.

However, the interesting part of this package is in its configuration, which allows an opportunity for malicious intent. Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package.

When the AutoIT package runs, it unpacks the executable and .dll files; puts them in the appropriate folders; and sets up the program service, imitating a normal installation. It then creates the following two configuration files:

•kws.ini
•spitesp.dat

The above configuration files control the home page and redirection domain list, respectively.

The ‘kws.ini’ file is responsible for settings pertaining to locking the current home page and the desired home page URLs. The following is a list of home pages known to be associated with the threat, which are advertisement link farms:

•hxxp://www.91xiaz.com/cn/?
•hxxp://www.ww2221.com
•hxxp://wvw.86819.com/


The ‘spitesp.dat’ file contains configuration details for a list of domains, which get redirected to the URL in the ‘kws.ini’ file in the event that a user tries to access them.

The following is a list of domains known to be redirected by the threat:

•1188.com
•360.com
•365j.com
•7f7f.com
•bbs.360.cn
•go2000.com
•qq.com
•qq5.com

Users are prevented from accessing these Web sites, which are all quite popular in China, as the threat redirects the browser to the pre-determined advertisement home page. Certain Web sites offering help with computer problems are also blocked and redirected (e.g. 360.cn).

Additionally, the threat deletes all Quick Launch icons except Internet Explorer. If Internet Explorer is not present in Quick Launch, a shortcut is created for it. This is possibly an attempt to ensure that a user must use Internet Explorer to browse the Internet as the Kingsoft WebShield package only works in the desired manner for Internet Explorer.

The Trojan also installs itself as an automatic service. Furthermore, as there is no uninstaller for this particular package, removal can prove to be quite challenging.

The Kingsoft WebShield otherwise behaves exactly as it is designed to, which may possibly prevent a user from recognizing that this particular WebShield package has been reconfigured.

These samples are currently detected by Symantec as Trojan Horse.

gorgiaa
Newbie
Newbie
Posts: 1
Joined: Thu Apr 14, 2011 11:54 am
Windows Version: XP
Avant Version: N/A
IE Version: N/A

Re: virus that changes home page

Post by gorgiaa » Thu Apr 14, 2011 12:09 pm

Hello,
Today there are many viruses that have very adverse effect on computer or on browser. Trojan horse is really very dangerous virus not only it effects on many things of computers also send secret information from computers to other. so it is very necessary to use any good anti-virus that can protect your computer from all type of viruses,rootkit,worms etc.

good luck!!

imayfield
Newbie
Newbie
Posts: 12
Joined: Wed May 11, 2011 11:12 am
Windows Version: Windows 7
Avant Version: Avant Browser 2011
IE Version: IE 9

Re: virus that changes home page

Post by imayfield » Thu May 12, 2011 1:37 am

I bet this trojan was never meant to do any harm but just to, as what was said, gain traffic for the website. Undeniably one of the most effective way to gain ranks on search engines is to gain traffic for your website, and that is what is achieved with this trojan. Aren't attackers getting sneakier every time.

Post Reply