Windows 10 Activator.exe Browser Virus

Hello,

A friend of mine called me begging for help about his/her computer infected with a virus.

I downloaded a file named "Windows 10 Activator.exe" but it infected me with a virus. I got rid of most of the files (YeaDesktop etc.), but my browser homepage and browser shortcuts keep changing. How is that possible.

For example, the default chrome.exe link is;
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

But, the virus changes it to;
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --load-extension="C:\Users\MYUSER~1\AppData\Local\kemgadeojglibflomicgnfeopkdfflnk" http://qtipr.com/

Also for firefox, default link is;
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

But the virus infected shortcut becomes;
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" http://qtipr.com/

As soon as we discovered the "developer mode" Chrome extension, we deleted the extension folder and removed it from browser. But shortcut kept changing (luckily no extension was loaded afterwards). And sometimes the url added to shortcuts changed, that is also interesting (so there is some dynamic code or remote parameters read in here).

Finally we found out that, there was a different kind of approach while writing these viruses (malwares or I say). There aren't any files related to updating the shortcut links, it is a VBScript in WMI.

Malwarebytes info about this method: https://blog.malwarebytes.com/cybercrime/2016/10/explained-wmi-hijackers/

I also should note that, the VBScript is inserted into WMI via "hp.exe" file in the first place (I think). The file is categorised as "BrowserModifier:Win32/Heazycrome" and most anti virus tools automatically detect them (unless you turned your protection off). Location of the installer is in a Temp dir such as C:\Users\myusername\AppData\Local\Temp\00027667\hp.exe and the timestamp for file was 2017-04-11 07:13 PM (19:13) for our case.

These viruses are like flu, they change everyday. So there might be different filenames on your affected system. Also, if you know the infection date/time, you can search it in your computer, via file explorer. Here is a sample query string (this is the time of virus installation): date:>=2017-04-11 19:11:00<=2017-04-11 19:15:00

I don't want to write the whole VBScript here, for obvious reasons, but if you are interested, here is a nice blogpost below;

For our case, the VBScript contained 2 main code blocks.

A: The first one is the URL to be added to browser shortcuts;

xmlHttp.open "GET", "http://bbtbfr.pw/GetHPHost?"&Timer()

If you curl to this location, you'll get the advertisement url to be appended;

$ curl -vki bbtbfr.pw/GetHPHost/ && echo
*   Trying 162.251.92.5...
* Connected to bbtbfr.pw (162.251.92.5) port 80 (#0)
> GET /GetHPHost/ HTTP/1.1
> Host: bbtbfr.pw
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK  
HTTP/1.1 200 OK  
< Content-Type: text/html  
Content-Type: text/html  
< Last-Modified: Tue, 07 Feb 2017 12:56:05 GMT  
Last-Modified: Tue, 07 Feb 2017 12:56:05 GMT  
< Accept-Ranges: bytes  
Accept-Ranges: bytes  
< ETag: "12d828b4181d21:0"  
ETag: "12d828b4181d21:0"  
< Server: Microsoft-IIS/7.5  
Server: Microsoft-IIS/7.5  
< X-Powered-By: ASP.NET  
X-Powered-By: ASP.NET  
< Date: Wed, 12 Apr 2017 09:13:31 GMT  
Date: Wed, 12 Apr 2017 09:13:31 GMT  
< Content-Length: 17  
Content-Length: 17

<  
* Connection #0 to host bbtbfr.pw left intact
http://qtipr.com/  
$

Also Google these domains, they seem to be quite notorious:
- search:"bbtbfr.pw"
- search:"qtipr.com"

B: In the script, there is also a list of locations to scan for browser shortcuts (opera.exe, chrome.exe, firefox.exe etc.).

FoldersDic(0) = "C:\Users\Public\Desktop"  
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"  
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"  
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"  
FoldersDic(4) = "C:\Users\myusername\Desktop"  
FoldersDic(5) = "C:\Users\myusername\AppData\Roaming\Microsoft\Windows\Start Menu"  
FoldersDic(6) = "C:\Users\myusername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"  
FoldersDic(7) = "C:\Users\myusername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"  
FoldersDic(8) = "C:\Users\myusername\AppData\Roaming"  
FoldersDic(9) = "C:\Users\myusername\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"  
FoldersDic(10) = "C:\Users\myusername\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"  
FoldersDic(11) = "C:\Users\myusername\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"  

In our example, this script was is located in ROOT\subscription:ActiveScriptEventConsumer but your's could be different. The best way is to use WMI Explorer and search for root\subscription path.

If you find and delete this script via wbemtest tool, then fix the browser bookmarks, then you should be safe. Here are the cleanup details;

The link explains "Yeabests.cc" related virus stuff but I think up to date Windows Activator is packed with a variant of that virus.

Hope this helps someone (:

Comments

comments powered by Disqus