Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum

Your tickets

  • Total:
  • Active:
  • Latest: -

Call us

+7 (495) 789-45-86

Profile

Back to news

Doctor Web discovers Windows Trojan that installs fake Chrome browser

August 29, 2016

Doctor Web’s specialists have examined Trojan.Mutabaha.1, a new Trojan. It installs a bogus version of the Google Chrome browser that is capable of replacing advertisements on browsed webpages.

The Trojan is notable for its ability to bypass the Windows protection system—Accounts Control (UAC). Information about this technology was first posted in an Internet blog on August 15. Just three days later, the first sample of this Trojan, which was subsequently named Trojan.Mutabaha.1, appeared in Doctor Web’s laboratory. The technology involved relies on the use of a system registry branch to launch a malware program that has elevated privileges. The Trojan contains a characteristic line that includes the project’s name:

F:\project\C++Project\installer_chrome\out\Release\setup_online_without_uac.pdb

First, a dropper, which saves an installer to the disk and runs it, and a BAT file, which is responsible for the dropper’s removal, are simultaneously launched. Then the installer connects to the command and control server to receive a configuration file which specifies an address for downloading the browser.

The browser, named Outfire, is a special build of Google Chrome. During installation, it registers itself in the Windows system registry, launches several system services, and creates tasks in the Windows Task Manager in order to load and install its updates. In addition, Outfire modifies the installed Google Chrome browser by removing or creating new shortcuts and copying current Chrome user account information into the new browser. Finally, Trojan.Mutabaha.1 searches for other fake browsers in the system by generating its names with the help of value combinations taken from two glossaries. The total number of such variants is 56. If it finds any, the Trojan compares the name of the found browser with its own name (to make sure that the Trojan will not mistakenly delete itself) and then kills the processes of that browser, removes its records from the Task Manager, and modifies the Windows system registry.

Once the installation is complete, the fake browser displays a home page which cannot be changed in the browser’s settings. In addition, it has a fixed extension designed to replace advertisements in browsed webpages and uses its own search engine, set by default—however, it can be changed in the application’s settings.

Dr.Web successfully detects and removes Trojan.Mutabaha.1, and, therefore, this malicious program poses no threat to our users.

More about this threat

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040