Yesterday while doing my usual malware analysis, I discovered new Youndoo.com browser hijacker being pushed by malware downloaders. It comes from the same authors of original YesSearches malware that became extremely popular along with its younger Hohosearch brother.
This malware uses ShellExecuteHooks method to load youndoo.com address as soon as you start your browser.
During the installation, malware creates following registry keys that enables them to use this technique:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“EnableShellExecuteHooks”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{6710C780-E20E-4C49-A87D-321850ED3D7C}”=””
They also create random named .dll file inside C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies folder that executes this hijack.
When you try to start Google Chrome or Firefox, they apply these command line arguments:
C:\Program Files\Mozilla Firefox\firefox.exe
-profile
C:\Users\admin\AppData\Roaming\Profiles\yzzfdyu4.default
http://www.youndoo.com/?z=2357d6c127eec6a3dc76789gaz1q1q7ecqcmbw6bbb&from=wak&ui
d=531364863_198339_4E6C236A&type=hp
C:\Program Files\Google\Chrome\Application\chrome.exe
–user-data-dir=C:\Users\admin\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E10
8
http://www.youndoo.com/?z=2357d6c127eec6a3dc76789gaz1q1q7ecqcmbw6bbb&from=wak&ui
d=531364863_198339_4E6C236A&type=hp
As you can see, they use previously created fake profiles to start your browsers with youndoo.com start page. All of this is to ensure this hijack remains after you manually remove your homepage.
Firefox hijack is even more interesting. They create two fake profiles.
They use second folder to start Firefox, while the first folder is used with different kind of hijack. We all have profiles.ini file inside C:\Users\username\AppData\Roaming\Mozilla\Firefox folder. The content of normal file looks like this:
[General]
StartWithLastProfile=1
[Profile0]
Name=default
IsRelative=1
Path=Profiles/4v91wrx7.default
Default=1
This malware changes it so when you start Firefox, it uses the fake profile from the first folder to start:
[General]
StartWithLastProfile=1
[Profile0]
Name=default
IsRelative=1
Path=Profiles/168z21qq.default[Profile1]
Name=Firefox Default
IsRelative=1
Path=../../Profiles/n0dj6uo3.default
Default=1
Despite being an Apple-exclusive, Facetime for PC download is an assurance. Official Website It uses your gadget information to earn phone calls.
Though with rise of demand and third party facetimeappdownload.com apps trying to develop the APK for Android devices, xmodgames soon there will be a Facetime for Android available in the market. myxer ringtones
Facetime App for PC
Firefox hijack is even more interesting. They create two fake profiles. awesome 😛