BrowserModifier:Win32/Fotomoto.B is present as a Web Browser Helper Object (BHO) and may download unwanted software.
Installation
Win32/Fotomoto.B uses a
social engineering tactic such as referencing a Ukrainian musical band named "Fotomoto" to lure users to install unwanted BHO components that download popup advertisements from various sources.
The installer for Win32/Fotomoto.B may be hosted on remote sites, for example
< IP address >/adzgalore/multi/278.exe
Once installed, Win32/Fotomoto.B may connect to the web site 'adgalore.biz' to send information relative to the success or failure of the installation.
During installation, the installer may drop the following files:
The installer may modify the registry to execute the dropped DLL whenever Internet Explorer is launched.
Adds value: (default)
With data: "adzgalore"
To subkey: HKLM\SOFTWARE\Classes\CLSID\{1fb3254c-5b2b-cacb-e4f0-cd7de3601ff1}
Adds value: (default)
With data: "<system folder>\nsp4.dll"
To subkey: HKLM\SOFTWARE\Classes\CLSID{1fb3254c-5b2b-cacb-e4f0-cd7de3601ff1}\InProcServer32
The registry may be modified to stop the BHO being loaded within the Windows shell Explorer process.
Adds value: "NoExplorer"
With data: """"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1fb3254c-5b2b-cacb-e4f0-cd7de3601ff1}
The installer may add an entry to the "Add or remove programs" list in the Control Panel by making the following registry modification:
Adds value: "DisplayName"
With data: "browser optimizer adzgalore"
To subkey: HKLMHKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\adzgalore
The installer may make the following additional registry modification, which essentially disables protected mode warnings which correlates to the downloading and execution of programs:
Adds value: ”NoProtectedModeBanner”
With data: "1"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main
Additional Information
Internet Explorer 7 and Protected Mode
By default, Internet Explorer 7 in Windows Vista runs in isolation from other applications in the operating system. Users must give their explicit consent for software to be able to write to any folder beyond the temporary Internet files folder (<systemdrive>\Windows\Temp\Temporary Internet Files\).
Analysis by Wei Li
