advertisement
Facebook
X
LinkedIn
WhatsApp
Reddit

McAfee calls out Lavians for injecting malware into legit software

Cyber security firm McAfee has accused software vendor, Lavians, of injecting malware into legitimate software.

The malware in question is BingVC (no relation to the search engine), which is a browser hijacker that’s typically bundled with freeware or distributed by means of drive-by attacks.

While you might not think that having a weird homepage, random advertising pop-ups infesting your desktop and your browser behaving badly is something to worry about, it is a massive security risk.

For instance, some browser hijackers could prevent users from accessing security websites which they will no doubt visit once they’ve determined their PC is borked. In this particular case of BingVC, a browser will re-direct users to a site flogging a virus removal tool. The irony is not lost on us.

“We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach,” McAfee researcher, Santosh Revankar said on the McAfee blog.

Revankar goes on to explain how the McAfee team examined a DELL Latitude D810 Drivers Utility Setup file that Lavians is distributing. The driver reportedly installs with no problems and doesn’t throw any red flags up during the process.

Combing through the files, Revankar found only one dirty file, IconOverlayEx.dll. After trying to uninstall the driver the malware injected a shell extension handler onto the PC, a trick used by malware to keep itself on a PC.

Malware flogs itself

It was only after the team uninstalled the driver that problems with the browser started appearing. For starters the home page was completely different to what it should be and it was directing the team to a bizarre webpage.

There was also a link users could click that sends them to FixBrowserRedirect.

Clip art, because nothing says "legitimate" like images from yesteryear. Image by McAfee.
Clip art, because nothing says “legitimate” like images from yesteryear. Image by McAfee.

How to remove BingVC

Thankfully, users don’t have to purchase an expensive tool to remove BingVC from their PCs as FixBrowserRedirect (that website is down now by the way) would have them believe.

Removing the malware is as simple as heading to the folder the driver was installed into which will more than likely be C:\Program Files\DELL Latitude D810 Drivers Utility\ and delete the files contained within.

Take note of the drivers you installed and replace “DELL Latitude D810 Drivers Utility” with the name of the driver you installed.

Users will also want to be on the look out for these two registry files:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ IconOverlayEx\: “{E1773C0E-364D-4210-B831-72F5A359E88F}”
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E1773C0E-364D-4210-B831-72F5A359E88F}: “Icon Overlay Shell Extension”

To find them copy and paste that text into a File Explorer’s address bar, hit enter and obliterate them.

Finally, you’ll want to right click on every browser installed on your PC (including Internet Explorer and Edge) select Properties and make sure that this URL: hxxp://bing.vc/?r=15443&lnk=sct2 (please don’t try and copy and paste this into your browser, that’s just asking for trouble) isn’t in the Target field.

Once that’s done that we recommend updating your anti-virus software and running a scan to just to make doubly sure you aren’t still infected.

Folks, we really can’t stress enough that drivers and software should only ever be downloaded from the creator. While some websites might offer you a faster or cheaper option, the caveat is that you might just be downloading something like BingVC.

[Source – McAfee][Image – CC BY 2.0 Yuri Samoilov]

advertisement

About Author

advertisement

Related News

advertisement