Microsoft said it has received 70,000 reports this week of a new Trojan disguised as an Adobe Flash Player update that will change your browser’s home page and redirect a Web session to an attacker’s page.

There are several clues something is amiss, namely part of the GUI for the supposed Flash 11 update is written in Turkish, and there is no scroll bar on the EULA.

Microsoft detects the file, which is spreading in emails, as Trojan:Win32/Preflayer.A. The malware will change the home page on Internet Explorer, Google Chrome, Mozilla Firefox and Yanex to either anasayfada[.]net or heydex[.]com.

“These sites appear to be a type of search engine, but there are pop-up advertisements displayed on the pages, and there was an instance where I was redirected to a different page not of my choosing,” said Jonathan Jose, an antivirus researcher at Microsoft.

When a victim executes the malicious file, a typical Flash Player dialog box pops up; the text of the agreement isn’t entirely visible because of the lack of a scroll bar. Jose said by highlighting the text, you’re able to read it to the end and notice a condition that states the user’s home back will be changed

“Not having a scroll bar is a bit dodgy as most users won’t realize that the program is going to change the browser’s start page,” he said.

Should the user go ahead and click on the install button, written in Turkish, the malware executes and changes the start pages. The domains were for the new start pages, as well as the domains hosting the malicious Flash update were created within the last six months, including one on March 4 that hosts the Flash executable.

Jose said that in addition to changing the browser start page, the browser shortcut file may also change to open either of the malicious pages.

“It’s a fairly simple ruse – misleading file name, misleading GUI, deliberately inaccessible EULA, misleading file properties – and some of the files are even signed. And yet, we’ve received over 70,000 reports of this malware in the last week,” he said. “Social engineering doesn’t have to be particularly sophisticated to be successful. So the message today is be wary. If you think something ‘feels’ wrong (like that missing scrollbar in the EULA) it may well be. Listen to those feelings and use them to protect yourself by saying ‘no’ to content you don’t trust.”

Categories: Malware

Comments (3)

  1. Al

    Problem: How to get rid of the update window, even if not acted upon? The window shows as Flash Player Pro update.

  2. Anonymous

    how about some screen shots(?) of how what this malware email / update looks like? any value to having this shared?

  3. Thomas McCarthy

    How about a solution to get the POS software off the computer once the click to upgrade button has been pushed. This POS software can’t be removed in a normal way. Also it’s in Spanish, as well. Sheesh, the authors of the articles are so nearsighted. Who the hell cares whether there is another piece of Malware out there. The problem is, people who were duped (it looks just like the Flash Player and it pops up like a Flash Player update) need it rid it from their computers, so how do you do it? I can’t delete it from the Control Panel. It produces a loop that indicates there is an error in trying to “load” the software.

Comments are closed.