Youndoo.com using ShellExecuteHooks to hijack your browsers

arnelahajdarevic on June 16, 2016

Yesterday while doing my usual malware analysis, I discovered new Youndoo.com browser hijacker being pushed by malware downloaders. It comes from the same authors of original YesSearches malware that became extremely popular along with its younger Hohosearch brother.

This malware uses ShellExecuteHooks method to load youndoo.com address as soon as you start your browser.

During the installation, malware creates following registry keys that enables them to use this technique:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
“EnableShellExecuteHooks”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

“{6710C780-E20E-4C49-A87D-321850ED3D7C}”=””

They also create random named .dll file inside C:\Users\username\AppData\Roaming\Microsoft\Windows\Cookies folder that executes this hijack.

When you try to start Google Chrome or Firefox, they apply these command line arguments:

C:\Program Files\Mozilla Firefox\firefox.exe
-profile
C:\Users\admin\AppData\Roaming\Profiles\yzzfdyu4.default
http://www.youndoo.com/?z=2357d6c12

7eec6a3dc76789gaz1q1q7ecqcmbw6bbb&from=wak&ui
d=531364863_198339_4E6C236A&type=hp

 

C:\Program Files\Google\Chrome\Application\chrome.exe
–user-data-dir=C:\Users\admin\AppData\Local\3810282D-6C19-47B0-8283-5C6C29A7E10
8
http://www.youndoo.com/?z=2357d6c127eec6a3dc76789gaz1q1q7ecqcmbw6bbb&from=wak&ui
d=531364863_198339_4E6C236A&type=hp

As you can see, they use previously created fake profiles to start your browsers with youndoo.com start page. All of this is to ensure this hijack remains after you manually remove your homepage.

Firefox hijack is even more interesting. They create two fake profiles.

They use second folder to start Firefox, while the first folder is used with different kind of hijack. We all have profiles.ini file inside C:\Users\username\AppData\Roaming\Mozilla\Firefox folder. The content of normal file looks like this:

[General]
StartWithLastProfile=1
[Profile0]
Name=default
IsRelative=1
Path=Profiles/4v91wrx7.default
Default=1

This malware changes it so when you start Firefox, it uses the fake profile from the first folder to start:

[General]
StartWithLastProfile=1
[Profile0]
Name=default
IsRelative=1
Path=Profiles/168z21qq.default

[Profile1]
Name=Firefox Default
IsRelative=1
Path=../../Profiles/n0dj6uo3.default
Default=1

The full path above is C:\Users\username\AppData\Roaming\Profiles\n0dj6uo3.default.
They also install GsearchFinder Firefox extension under each of two fake profiles.
Our latest build is capable of removing this browser hijack:
Save yourself the hassle and install Zemana AntiMalware.

Published by arnelahajdarevic

  1. ruthduff January 6, 2018 at 12:18 pm

    Despite being an Apple-exclusive, Facetime for PC download is an assurance. Official Website It uses your gadget information to earn phone calls.

    Reply

  2. DILEEP YADAV April 22, 2018 at 1:01 pm

    Though with rise of demand and third party facetimeappdownload.com apps trying to develop the APK for Android devices, xmodgames soon there will be a Facetime for Android available in the market. myxer ringtones

    Reply

  4. shareitapp8 April 19, 2019 at 5:15 am

    Firefox hijack is even more interesting. They create two fake profiles. awesome 😛

    Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: