MSRT March 2016 – Vonteera
As part of our ongoing effort to provide better malware protection, the March release of the Microsoft Malicious Software Removal Tool (MSRT) will include detections for Vonteera – a family of browser modifiers, and Fynloski – a family of backdoor trojans. In this blog, we’ll focus on the Vonteera family of browser modifiers.
BrowserModifier:Win32/Vonteera
We first detected BrowserModifier:Win32/Vonteera in August 2013, and the numbers have been pretty big; during the past six months, we’ve had over eight million detections. Encounters have been distributed among the following countries and regions:
We classify Vonteera as unwanted software because it violates the following objective criteria:
- Lack of choice – the threat circumvents user consent dialogs from the browser or operating system. It installs, reinstalls, or removes software without your permission, interaction, or consent.
- Lack of control – the threat prevents or limits you from viewing or modifying browser features or settings.
- Installation and removal – the threat fails to use standard install/uninstall features, such as Add/Remove Programs.
Vonteera is usually distributed by software bundlers that offer free applications or games.
Once installed on your PC, it modifies your homepage and changes your search provider.
It uses Group Policy to install a plug-in into the following browsers in an effort to make it difficult to remove:
- Google Chrome
- Internet Explorer
- Mozilla Firefox
This makes it more difficult to change the browser settings and remove the added Vonteera plug-in through the Manage Add-ons settings.
More recent versions of Vonteera began adding legitimate certificates that belong to a number of security and antimalware products to the untrusted certificates list that the Windows operating system maintains, which forces Windows to not trust legitimate security and antimalware products. This means that if Vonteera is present on your PC, you might not be able to run your security software.
It also runs a service, so even if you try to delete these certificates from the untrusted list, Vonteera just adds them back to this list, so you still might not be able to run your security software.
Our malware encyclopedia entry for Win32/Vonteera has more details about this malware family.
By adding Vonteera to the MSRT we hope to have a bigger impact and reach more affected machines and help remove this unwanted software. However, as with all threats, prevention is the best protection.
Stay protected
To help stay protected from this and other threats we recommend running up-to-date real-time security software such as Windows Defender for Windows 8.1 and Windows 10.
We also recommend you:
- Ensure all your software is up-to-date.
- Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
- Ensure you have SmartScreen (in Internet Explorer) turned on.
- Have a pop-up blocker running in your web browser.
- Be wary about downloading software from websites other than the program developers.
For more tips on preventing malware infections, including ransomware infections, see: