Floxif malware was hiding in CCleaner
Floxif is the name of a dangerous Trojan that has been noticed spreading with a corrupted version of a popular PC optimization program CCleaner. T The malware was spreading between August 15 and September 12, 2017, and infected more than 2 million users. After the attack, the virus tracked various information about user’s device and sent it to the remote server.
Floxif Trojan was installed in the main program’s executable – CCleaner.exe. Therefore, the virus entered the system if a user downloaded CCleaner (5.33.6162) or CCleaner Cloud (1.07.3191) programs. However, the virus was executed only on a 32-bit Windows OS.
Researchers detected several versions of the Floxif virus. However, most of them act similarly. They might steal a bunch of information about a victim, including technical details about a targeted computer, such as:
- the name of the targeted computer,
- the list of installed programs,
- the list of active processes,
- MAC addresses of the first 3 network adapters,
- unique computer’s ID.
Besides, so-called CCCleaner virus might also track personal victim’s information, such as login credentials or credit card data. Nevertheless, it operates as a keylogger; it might also install other malicious programs, such as ransomware, soon after connecting to its remote server.
Thus, it goes without saying that Floxif removal is crucial to protect your computer, data and sensitive information. Users, who installed CCleaner between August 15 and September 12, are advised to update the program and scan the device with reputable malware removal tool, such as Reimage. These steps will help to terminate the Trojan.
The activity of the Trojan.PRForm.A
As mentioned before, the trojan injected malicious code to the original CCleaner’s executable. Thus, when users downloaded this program, they installed malware as well. When Floxif CCleaner Trojan is installed, it immediately downloads a symsrv.dll file to this directory:
C:\Program Files\Common Files\System\symsrv.dll
Furthermore, it creates a specific Windows Registry sub-key:
Besides, it might also make other modifications in the registry in order to execute malicious tasks and hide in the system. Furthermore, Floxif connects to several Windows APIs and tries to delete important system files:
%Program Files%\Common Files\System\symsrv.dll.dat
As you can see, this dangerous Trojan horse cause numerous system changes and pose a danger to user’s privacy. Therefore, CCleaner users are urged to remove Floxif from the device immediately.
Distribution of the malicious programs went to the next level
Authors of the CCleaner 5.33 virus managed to hack the original program’s executable. Therefore, they injected malicious code to a legitimate program and managed to infected around 2.27 million people who installed a compromised version of the CCleaner which was available on the developers (Piriform) website since August 15th, 2017.
Besides, the latest research data reports that Floxif launched targeted attacks towards technology giants, such as Microsoft, Samsung, Sony, etc. It is reported that trojan affected about 20 computers owned by these companies.
Security experts from Sweden report that everyone who downloaded this program might have been infected with Floxif virus. Thus, users should update it to the latest version immediately. Scanning the system with professional antivirus is also recommended to make sure that any malicious components were not left on the system.
Crucial steps to take after Floxif Trojan attack
To remove Floxif from the device and protect your personal information from cyber criminals, you should complete these three important tasks:
- Update CCleaner to 5.34 version (or higher).
- Run a full system scan with reputable malware removal software.
- Change passwords.
Updating CCleaner to the latest version may not be enough. To perform proper Floxif removal, you should also check the device with professional security software, such as Reimage. This step is necessary because hackers might still have access to your computer or install malware. Once you run antivirus or malware removal tool, all dangerous components will be eliminated.
When the Floxif is removed entirely, you should also change social network, email, banking, and other accounts’ passwords. It’s unknown what sensitive data hackers managed to steal. Thus, you have to make sure that criminals do not have access to your accounts.