Search Hijacker Adds Files to Firefox Profile

In September, I posted an item about a dropper which we call Trojan-Dropper-Headshot. This malware delivers everything including the kitchen sink when it infects your system. It has an absolute ton of payloads, any of which on their own constitute a serious problem. All together, they’re a nightmare.

Among the payloads, we’ve seen this monstrosity drop downloaders (Trojan-Agent-TDSS and Trojan-Downloader-Ncahp, aka Bubnix), adware (Virtumonde, Street-Ads, and Sky-banners), keyloggers (Zbot and LDpinch), clickfraud Trojans (Trojan-Clicker-Vesloruki and at least three other generic clickers), and a Rogue AV called Antivir Solution Pro. So this is one nasty beast that has no qualms about using the shotgun approach to malware infections.

But we also noticed that it has added yet another intriguing installer to its panoply of pests: It’s a small executable named seupd.exe (search engine updater?) that makes two minor (but obnoxious) modifications to Firefox. The result of these modifications changes the behavior of Firefox’s search bar, the small box that lets you send queries directly to search engines, located to the right of the Address Bar.

The modifications are not immediately apparent unless you try to search Google for something, using either the Search Box or the Address Bar: Instead of sending your search to Google, the browser submits search queries to one of six different domains not owned by Google, but which appear to use the Google API to provide results — and, presumably, earn a little ad revenue on the side.

The modifications add a file named user.js to the currently logged-in user’s Firefox profile. The presence of a file by this name is not necessarily an indication of an infection, but in this case, the user.js file contains the instructions that tell the browser where it should submit searches when you have Google set as the default engine to use in the Search Bar’s dropdown menu. […]

We remove the components and block the domains and their related IP addresses, but if you’re infected with this thing, it’s easy enough to get rid of manually: Just install Firefox over the top of itself, and the installer will replace the modified files with the originals. If you open up your user.js file and see anything resembling this screenshot, just delete that user.js file. The malware won’t reinfect your machine, so this is the easiest way to clear up the hijack.

Leave a Reply