Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

Dangerous Trojan substitutes web pages

May 7, 2013

Specialists from the Russian anti-virus company Doctor Web have studied one of the most widespread threats in April 2013, the Trojan Trojan.Mods.1, formerly known as Trojan.Redirect.140. According to statistics compiled by the curing utility Dr.Web CureIt!, the number of infections with this Trojan represent 3.07% of the total number of detected threats. A summary of the study can be found below.

The Trojan has two components: the dropper and the dynamic link library which stores the payload. During installation, the dropper creates a copy of itself in one of the folders on the hard drive and runs itself for execution. In Microsoft Windows Vista, the dropper can be launched as a Java update that requires user confirmation to bypass User Accounts Control.

screen

Then the dropper saves on the hard drive the main library which injects its code into all running processes on the infected computer but operates only in the processes of the following browsers: Microsoft Internet Explorer, Mozilla Firefox, Opera, Safari, Google Chrome, Chromium, Mail.Ru Internet, Yandex.Browser, and Rambler Nichrome. The configuration file containing all the data needed to run Trojan.Mods.1 is encrypted and stored in the dynamic linking library.

Trojan.Mods.1 is chiefly designed to replace web pages visited by users with malicious web pages by intercepting the system functions responsible for translating DNS names to IP addresses. As a result, instead of the sites they have requested, users are redirected to fraudulent pages where they are asked to enter a mobile phone number and reply to an SMS sent from the short number 4012. If they comply, a certain amount will be debited from their account.

screen

The architecture of Trojan.Mods.1 contains a special algorithm that allows redirection to a certain group of addresses to be disabled.

The signature of this threat has been added to the Dr.Web virus database, so Trojan.Mods.1 does not pose a serious threat to systems protected by Doctor Web products.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040