1. /
  2. Security Response/
  3. Adware.Bonzi

Adware.Bonzi

Updated:
February 13, 2007 11:32:43 AM
Type:
Adware
Version:
Not available
Publisher:
Bonzi
Risk Impact:
High
File Names:
BonziTapFilters.dll,BonziBDY.exe,IEHelperMiddleMan.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Bonzi is executed, the installer does the following:
  1. Creates the following folders:

    • %ProgramFiles%\ BonziBUDDY
    • %UserProfile%\Start Menu\Programs\BonziBUDDY

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Drops the following files:

    • %System%\BonziTapFilters.dll
    • %System%\IEHelperMiddleMan.dll
    • %UserProfile%\Desktop\BonziBUDDY.lnk
    • %UserProfile%\Desktop\Speed Up My Computer.url
    • %UserProfile%\Start Menu\Programs\Startup\BonziBUDDY.lnk
    • %Windir%\msagent\chars\Bonzi.acs

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  3. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\.BBMA
    HKEY_CLASSES_ROOT\.BonziMAIL_Message
    HKEY_CLASSES_ROOT\BonziBDY.Document
    HKEY_CLASSES_ROOT\BonziMAIL_Messagefile
    HKEY_CLASSES_ROOT\BonziBUDDY.CPeriod
    HKEY_CLASSES_ROOT\BonziBUDDY.CCalendarVBPeriod
    HKEY_CLASSES_ROOT\BonziBUDDY.CCalendarVBPeriods
    HKEY_CLASSES_ROOT\BonziBUDDY.CPeriods
    HKEY_CLASSES_ROOT\BonziBUDDY.clsAddressBook
    HKEY_CLASSES_ROOT\BonziBUDDY.clsBBPlayer
    HKEY_CLASSES_ROOT\BonziBUDDY.clsClickTheButton
    HKEY_CLASSES_ROOT\BonziBUDDY.clsDownloadManager
    HKEY_CLASSES_ROOT\BonziBUDDY.clsRegistration
    HKEY_CLASSES_ROOT\BonziBUDDY.clsStoryReader
    HKEY_CLASSES_ROOT\BonziCTBHelper.clsBonziCTBHelper
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandCloseToast
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandShowToast
    HKEY_CLASSES_ROOT\BonziTapFilters.clsSubscription
    HKEY_CLASSES_ROOT\BonziTapFilters.clsTapEvent
    HKEY_CLASSES_ROOT\BonziTapFilters.clsFiltration
    HKEY_CLASSES_ROOT\BonziTapFilters.clsContent
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandSpeak
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandSetIEHomePage
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandRaiseEven
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandPlay
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandOpenWeb
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandMsgBoxOnYes
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandMsgBoxOnNo
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandMsgBox
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandHTTPPost
    HKEY_CLASSES_ROOT\BonziTapFilters.clsCommandDownloadFile
    HKEY_CLASSES_ROOT\BonziTapFilters.clsBonziContent
    HKEY_CLASSES_ROOT\IEHelperMiddleMan.IEHlprObj
    HKEY_CLASSES_ROOT\IEHelperMiddleMan.IEHlprObj.1
    HKEY_CLASSES_ROOT\CLSID\{210787C2-92B0-4776-8E80-14C02174893D}
    HKEY_CLASSES_ROOT\CLSID\{7B6B6079-A483-43F4-9376-1CC374BA3600}
    HKEY_CLASSES_ROOT\CLSID\{D985E1B8-E314-4D36-B095-EBD4C5295F69}
    HKEY_CLASSES_ROOT\CLSID\{F4900F6A-055F-11D4-8F9B-00104BA312D6}
    HKEY_CLASSES_ROOT\CLSID\{F4900F8D-055F-11D4-8F9B-00104BA312D6}
    HKEY_CLASSES_ROOT\CLSID\{F4900F96-055F-11D4-8F9B-00104BA312D6}
    HKEY_CLASSES_ROOT\CLSID\{F8B44545-C2E0-46C3-B78B-11E821C9D2E1}
    HKEY_CLASSES_ROOT\CLSID\{22EB59AE-1CB8-4153-9DFC-B5CE048357CF}
    HKEY_CLASSES_ROOT\CLSID\{3B89AD5A-42A2-4258-9242-D67EB0C80442}
    HKEY_CLASSES_ROOT\CLSID\{53F082C5-72FE-49D5-A34F-C054CAD30DD0}
    HKEY_CLASSES_ROOT\CLSID\{57DA7E73-B94F-49A2-9FEF-9F4B40C8E221}
    HKEY_CLASSES_ROOT\CLSID\{5D11B6DC-358A-44B3-B2AC-22B5DCBC936B}
    HKEY_CLASSES_ROOT\CLSID\{7C3845B5-4B34-43CE-99DE-3BFAD5308E68}
    HKEY_CLASSES_ROOT\CLSID\{82CA10AE-D2F8-441E-A01D-4DFC46F37612}
    HKEY_CLASSES_ROOT\CLSID\{837CCA31-1813-40EA-80BC-ABA9D97CB64B}
    HKEY_CLASSES_ROOT\CLSID\{856B6CBE-B0C1-4B4D-8586-2D6E9DF3E4F2}
    HKEY_CLASSES_ROOT\CLSID\{962F96F8-624C-4B0E-B055-F2F1D1DEFF0E}
    HKEY_CLASSES_ROOT\CLSID\{A031FBF6-81A7-4440-9E20-51ABB2289E4B}
    HKEY_CLASSES_ROOT\CLSID\{A7AA73E0-F6F9-4967-B209-AA1B11C47DCF}
    HKEY_CLASSES_ROOT\CLSID\{D3CD5F89-BFE3-4BAD-AC10-25751A08811C}
    HKEY_CLASSES_ROOT\CLSID\{E26DD3CD-B06C-47BA-9766-5F264B858E09}
    HKEY_CLASSES_ROOT\CLSID\{E509D0E0-DA02-4D16-BA63-70F23CAC74C8}
    HKEY_CLASSES_ROOT\CLSID\{F2394898-748D-4415-8CE8-65E429445B33}
    HKEY_CLASSES_ROOT\CLSID\{F4900F67-055F-11D4-8F9B-00104BA312D6}
    HKEY_CLASSES_ROOT\CLSID\{F5A31F2F-122F-4615-A9B7-90841538EC7C}
    HKEY_CLASSES_ROOT\CLSID\{F77A2B0F-476C-4536-BEB1-2CB17CA6BCBC}
    HKEY_CLASSES_ROOT\CLSID\{F91F3264-454B-45BE-A402-FE0E56BB9315}
    HKEY_CLASSES_ROOT\CLSID\{FE56C7A2-AAF1-47F2-9B68-4057D7FF5B4A}
    HKEY_CLASSES_ROOT\CLSID\{74266FA9-E6C8-11D3-B48F-0080C77B28D9}
    HKEY_CLASSES_ROOT\Interface\{120C5484-09BA-4936-98B9-1B0C15C9CE5E}
    HKEY_CLASSES_ROOT\Interface\{17B3C2CB-6697-4736-BEE7-69F363F1F35E}
    HKEY_CLASSES_ROOT\Interface\{22DF5084-12BC-4C98-8044-4FAD06F4119A}
    HKEY_CLASSES_ROOT\Interface\{3D08842D-983E-4226-8D6E-612965EB32D9}
    HKEY_CLASSES_ROOT\Interface\{44279F35-8ED3-4234-9D61-069AE93EFBEC}
    HKEY_CLASSES_ROOT\Interface\{4BBFAACC-619C-4A9D-A32C-A8B3453CE783}
    HKEY_CLASSES_ROOT\Interface\{565029F7-D84E-4EDC-BF87-A204645DA3EA}
    HKEY_CLASSES_ROOT\Interface\{6549F504-C43A-43F3-B8CD-D077AF0427C8}
    HKEY_CLASSES_ROOT\Interface\{6A96C266-F125-4D60-8BE0-C247349A7CE4}
    HKEY_CLASSES_ROOT\Interface\{6DC6A7A5-0862-406E-8FD9-E4D5ADB93AED}
    HKEY_CLASSES_ROOT\Interface\{89E800DE-5C96-4802-8DA6-2CF50C9D19AF}
    HKEY_CLASSES_ROOT\Interface\{8E71A3F9-CECF-4DC4-ACCF-3DD01C843A45}
    HKEY_CLASSES_ROOT\Interface\{993D6CAC-49A8-40D9-BD97-405281136E78}
    HKEY_CLASSES_ROOT\Interface\{A4E0988E-24BE-4570-B4D8-982F1386E0C6}
    HKEY_CLASSES_ROOT\Interface\{A56BE8E7-6B37-43DD-88F4-6D42E57CA1D7}
    HKEY_CLASSES_ROOT\Interface\{B2676D5B-8D53-4569-AF2C-A55A0D90C132}
    HKEY_CLASSES_ROOT\Interface\{BD6F0855-7792-4131-A06F-AA2A991E0549}
    HKEY_CLASSES_ROOT\Interface\{CB6F59F9-FA69-4D14-9D96-4BB3190E3DF5}
    HKEY_CLASSES_ROOT\Interface\{F4900F66-055F-11D4-8F9B-00104BA312D6}
    HKEY_CLASSES_ROOT\Interface\{FDF3D1E0-2DA2-4238-AF4F-026670289749}
    HKEY_CLASSES_ROOT\Interface\{0570bf7b-e1bf-4ef3-bc37-7ae3f54bd605}
    HKEY_CLASSES_ROOT\Interface\{7679e16d-9af0-439d-be07-7bff15459c59}
    HKEY_CLASSES_ROOT\Interface\{9fbcd665-010a-4c21-be40-9de2bdf34e50}
    HKEY_CLASSES_ROOT\Interface\{d7ba20a4-7049-416f-a7e4-97530442d62f}
    HKEY_CLASSES_ROOT\Interface\{f4900f68-055f-11d4-8f9b-00104ba312d6}
    HKEY_CLASSES_ROOT\Interface\{f4900f69-055f-11d4-8f9b-00104ba312d6}
    HKEY_CLASSES_ROOT\Interface\{f4900f6b-055f-11d4-8f9b-00104ba312d6}
    HKEY_CLASSES_ROOT\Interface\{f4900f8c-055f-11d4-8f9b-00104ba312d6}
    HKEY_CLASSES_ROOT\Interface\{f4900f95-055f-11d4-8f9b-00104ba312d6}
    HKEY_CLASSES_ROOT\TypeLib\{50A2C2B1-5A56-4183-B1D0-3F59877BAD60}
    HKEY_CLASSES_ROOT\Typelib\{AAB7FAED-91F8-4591-8E4C-9291D2B7F381}
    HKEY_CLASSES_ROOT\Typelib\{f4900f5d-055f-11d4-8f9b-00104ba312d6}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer
    \Browser Helper Objects\{74266FA9-E6C8-11D3-B48F-0080C77B28D9}#
    HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BONZIBUDDY
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type
    \application/bonzi-mail-message
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BonziBUDDY


  4. Adds the value:

    "BonziBUDDY"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    so that the adware runs when you start Windows.

  5. Changes the Internet Explorer home page and search pages. The home page may be reset to the following:

    [http://]www.bonzi.com/[REMOVED]/bonziportal/index.asp

  6. May send Internet usage statistics to a remote server or downloads advertisements when certain keywords are typed in Internet Explorer.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver