Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

New Trojan fakes search results

January 15, 2013

Russian anti-virus company Doctor Web is warning users about a malicious program dubbed BackDoor.Finder which fakes search result pages and redirects browsers to bogus websites.

When launched in an infected system, BackDoor.Finder creates a copy of itself in the current user's % APPDATA% folder and makes corresponding changes in the branch of the Windows registry responsible for application startup. After that this malware injects its code into all running processes. If it manages to inject its code into Internet Explorer, Mozilla Firefox, Maxtron, Chrome, Safari, Mozilla, Opera, Netscape or Avant processes, it will intercept WSPSend, WSPRecv and WSPCloseSocket routines.

Then BackDoor.Finder generates up to 20 control server domain names and will send encrypted queries to each server, one after another. When a user of an infected machine attempts to search the Web via google.com, yahoo.com, bing.com, ask.com, search.aol.com, search.icq.com, search.xxx, www.wiki.com, yandex.com, or www.alexa.com, the query is transmitted to a malicious controlling server which returns a configuration file with a list of URLs that will be used to redirect the browser to malignant sites. As a result, instead of a search results page, a list of sites specified by criminals will be displayed to the user.

map

Doctor Web's analysts managed to work out the routine employed by BackDoor.Finder to generate command server names; they registered several fake servers to gather more information about the malware. It turned out that the malware is most widely spread in the U.S. where Kansas has become the undisputed leader, followed by New Jersey. Ohio and Alabama occupy third place. The smallest number of infections by BackDoor.Finder is found in Utah and Michigan.

This malicious program has been added to the Dr.Web virus databases and poses no danger to machines running Doctor Web anti-virus products.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040