In addition to preventing the virus definition update, the Trojan redirects the user to fake banking websites.
A new malware created in Brazil is trying to prevent the Internet browsers from accessing the websites of various Anti-Virus companies and redirects the Internet users to fake banking websites, even when typing the correct address. In addition to that, the code was written to prevent the Antivirus software to download updates.
Fabio Assolini, analyst at Kaspersky Lab explains that the virus uses a technique called Man in the Browser (MitB). This type of infection works by changing/modifying the key “AutoConfigURL” in the Windows registry, making the browser to use the URL as a proxy (intermediate) in its web connection.
If the infected user attempts to access a Web site to download some antivirus software or its updates, then he’ll see the following message: “Service Temporarily Unavailable, try again later …”.
The viral code provides a list of servers used by Anti-Virus companies to distribute their virus definition updates to users. The intention is clear: stop trying to download antivirus updates and remain un-detected,” explains the analyst.
The malware changes the settings of Firefox and registers itself at windows startup. It also updates the malicious proxies in the system incase it is removed by the hosting services. “Thus, the criminal tries to ensure that the victim remain infected as long as possible.”