JS/ExtenBro.FBook [Threat Name] go to Threat
JS/ExtenBro.FBook.AS [Threat Variant Name]
Category | trojan |
Size | 217088 B |
Aliases | Trojan.Win32.Antavmu.abcm (Kaspersky) |
Trojan:Win32/Kilim.G (Microsoft) |
Short description
The trojan is a malicious Google Chrome extension/plugin. It can show advertisements.
Installation
When executed, the trojan copies itself into the following location:
- %localappdata%\Google\Chrome\User Data\Default\Extensions\kfnnmlhdpbehgecmnpkgjolhjmaboeed\FlashPlugin.exe
The following files are dropped:
- %localappdata%\Google\Chrome\User Data\Default\Preferences
- %localappdata%\Google\Chrome\User Data\Default\Extensions\kfnnmlhdpbehgecmnpkgjolhjmaboeed\manifest.json
- %localappdata%\Google\Chrome\User Data\Default\Extensions\kfnnmlhdpbehgecmnpkgjolhjmaboeed\background.js
The trojan attempts to delete the following file:
- %programfiles%\Google\Update\GoogleUpdate.exe
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Chromium" =" %userprofile%\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfnnmlhdpbehgecmnpkgjolhjmaboeed\FlashPlugin.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
- "LastKey" = "My Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
Other information
The trojan is a malicious Google Chrome extension/plugin.
The trojan interferes with communication when any of the following sites is accessed:
- www.facebook.com
It can show advertisements. The trojan may redirect the user to the attacker's web sites.