Recently, 360 Security Center discovered a type of actively spreading Trojan “BrowserHijackerDriver” that infected a hundred thousand of computers in two days. The Trojan disguises itself as utility softwares and media players. It is highly recommended to download softwares from the official websites instead of unknown sources.

Analysis

While user downloads and installs the disguised media player, the Trojan file is released. The path of the Trojan is:
%userprofile%\appdata\local\temp\8617386\ic-0.b2cbe292914f58.exe
The file information is:

The Trojan will run REG first to avoid the uploading of the malicious software report.
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f

And then write a service file.
C:\Program Files\Y2YyOTU5ZTMwZmViZ\MjBkZWY.exe

Run SC command to create the service:
create OTU5YTkwNjAzMz binPath= “rundll32.exe C:\Windows\ditwabiaqskrksxp.ditha IGfZlJ” start= auto

The Trojan file releases a driver to the driver folder \windows\system32\drivers\YWQ3OWIyMjFjNzh.sys and uses system command to create a driver system group PNP_TDI.
create YWQ3OWIyMjFjNzh binpath= system32\drivers\YWQ3OWIyMjFjNzh.sys DisplayName= YWQ3OWIyMjFjNzh type= kernel start= system group= PNP_TDI

The driver information is:

The driver is modified from an open source code and contains a signature technologieboussac.com. It interacts with Internet devices by creating a variety of device names.

The device names are:

The Trojan uploads the driver to the Internet devices and modifies the Internet packages.

It pops up advertisements while user browsing the Internet.

Reminder

Recently, we have found that a lot of Trojans are actively spreading in the wild. We strongly recommend users to enable antivirus software while installing new applications. Users are also recommended to run virus scan with 360 Total Security to avoid falling victim to Trojans.