- Oct 23, 2012
- 12,527
Intel McAfee security experts have discovered that the latest versions of the infamous Bing.vc browser-hijacking malware are distributed via applications distributed by Lavians Inc.
Security companies have known about the existence of the Bing.vc malware for more than a year and many of them have added support for removing this threat from the computers of infected users.
Intel McAfee: Blame Lavians Inc.!
According to a report from McAfee, recent versions of the Bing.vc malware have been found bundled with legitimate-looking products. The security vendor is pointing the finger at a software company called Lavians Inc.
"We have come across several files from Lavians Inc. that look like legitimate applications but may pose a serious risk," write's Intel's Santosh Revankar. "We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach."
Intel says that most of the infected files hide as driver utilities, using names such as HP DESKJET F4580 Driver Utility Setup, DELL Inspiron 5100 Drivers Utility Setup, or Acer Aspire ONE ZG5 Drivers Utility Setup.
Bing.vc affects Chrome, Firefox, IE
When users install these files, they'll get the legitimate application, but also Bing.vc, hidden inside a file called IconOverlayEx.dll.
Bing.vc will install itself into Chrome, Firefox, and Internet Explorer, and will take over the site's homepage and insert ads into visited websites. The page to which this browser hijacker will redirect all users is Bing.vc, hence the malware's name.
Security companies have known about the existence of the Bing.vc malware for more than a year and many of them have added support for removing this threat from the computers of infected users.
Intel McAfee: Blame Lavians Inc.!
According to a report from McAfee, recent versions of the Bing.vc malware have been found bundled with legitimate-looking products. The security vendor is pointing the finger at a software company called Lavians Inc.
"We have come across several files from Lavians Inc. that look like legitimate applications but may pose a serious risk," write's Intel's Santosh Revankar. "We have observed that Lavians Inc. is repackaging clean applications with a browser hijacker to avoid suspicion and to increase its outreach."
Intel says that most of the infected files hide as driver utilities, using names such as HP DESKJET F4580 Driver Utility Setup, DELL Inspiron 5100 Drivers Utility Setup, or Acer Aspire ONE ZG5 Drivers Utility Setup.
Bing.vc affects Chrome, Firefox, IE
When users install these files, they'll get the legitimate application, but also Bing.vc, hidden inside a file called IconOverlayEx.dll.
Bing.vc will install itself into Chrome, Firefox, and Internet Explorer, and will take over the site's homepage and insert ads into visited websites. The page to which this browser hijacker will redirect all users is Bing.vc, hence the malware's name.
Hijacked Google Chrome homepage
This website has nothing to do with Microsoft's Bing service and is quite strange that Microsoft hasn't registered the domain beforehand, or moved to take it down by now.
Ironically, the Intel McAfee team has noticed that a link on this hijacked homepage leads users to a site that tries to sell them a very expensive utility to fix their browser hijacking problem.
Uninstalling the infected app doesn't help
Users that notice something strange and move to uninstall the original driver utility they installed will find that all files will be removed, except IconOverlayEx.dll, which will remain on the infected system.
During the uninstall routine, Bing.vc will alter the user's PC registry keys and add two new entries that will load the DLL on every boot-up.
By doing so, even after uninstalling the original infected files, Bing.vc remains on the system.
Users that want to get rid of this infection have to remove the registry keys by hand or use an automated PC clean-up utility that usually comes with antivirus software.
Additionally, the shortcuts for each browser also need to be cleaned up by deleting the URL at the end of the application target parameter, as in the image below.
