Adware vendors are constantly using new methods to inject advertisements or to hijack the home pages of computer user's browsers. Recently, Djordje Lukic, a malware researcher for Zemana, passed along a sample of a a new variant of the Youndoo Browser Hijacker that was using DLL Hijacking to hijack a browser's homepage.

Youndoo.com Home Page
Youndoo.com Home Page

To give a little background info, when both the Chrome and Firefox executables start, they attempt to load the legitimate Windows C:\Windows\System32\wtsapi32.dll file. This allows the programs to use the functions stored in this DLL.

The developers of Youndoo exploit this by placing a malicious version of the wtsapi32.dll Windows file in the same folder as the Firefox and Chrome browser executables.  

When an executable loads a DLL, Windows will first check the same directory the executable is in for the specified DLL files, and if found, load it from there. Since Youndoo has placed a a malicious DLL of the same name in the browser's folder, the browser will load their version of the file instead of the legitimate one. This is called DLL Hijacking.

Youndoo wtsapi32.dll in the Chrome Application Folder
Youndoo wtsapi32.dll in the Chrome Application Folder

When Chrome or Firefox loads, the functions in the Youndoo wtsapi32.dll DLL will read an URL in the the HKEY_CURRENT_USER\Software\MessageGet "hp" Registry value.  The hp, or homepage, value contains a URL that this DLL will cause the browser to automatically open.

hp Registry Key
Hp Registry Key

If you changed the value of hp to any other url, the browser would open to that url instead. To stop the redirect, all you have to do is simply remove the hp registry value and the browser will open to the default page. To actually remove the infection, you would need to remove the wtsapi32.dll file from your browsers folder as well as perform a scan for other installed files.

This is just another example of the lengths that adware programs and PUPs are going in order to hijack your computer and display advertisements. Unfortunately, though many of these programs exhibit what I feel should be considered malware behavior, many antivirus companies do not even detect them. For example, as of this writing, this malicious wtsapi32.dll file is detected by 0 out of the 55 scanners on VirusTotal.

The FTC and other government agencies needs to take a serious look at how adware purveyors are pushing this crap on people's computers.  Adware and PUPs are getting out of hand and something needs to be done about.

Related Articles:

Android Apps Pretend to Mine Unmineable CryptoCurrencies to Just Show Ads