Updated: February 13, 2007 11:37:54 AM
Type: Spyware
Version: Not available
Publisher: srng.net
Risk Impact: High
File Names:
SearchHook.dll
IEHelper.dll
IEHelper02.dll
SNHelper.dll
srng.exe
Svchost.exe
ad_msi.exe
ads
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
When Sypware.Shopnav is installed, it does the following:
- Creates one of the following folders:
- %Program Files%\Snrg
- %Program Files%\Kugoo
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates some of the following files:
- %Windir%\adrsb.exe
- %Windir%\waladhpr.exe
- %Windir%\iun6002.exe
- %Windir%\Svchost.exe
- %Program Files%\Srng\Srng.exe
- %Program Files%\Srng\SRNG.LOCK
- %Program Files%\Srng\file.zip
- %Program Files%\Srng\SNHelper.dll
- %Program Files%\Srng\SrngUtil.exe
- %Program Files%\ieshnv.ini
- %Program Files%\ieshnv.bmp
- %Program Files%\ieshnv.dat
- %Program Files%\ieshnv.lng
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Creates some of the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SNHlprObj.SNHlprObj
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SNHlprObj.SNHlprObj
HKEY_LOCAL_MACHINE%\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14b3d246-6274-40b5-8d50-6c2ade2ab29b}
HKEY_LOCAL_MACHINE\Software\Srng
HKEY_LOCAL_MACHINE\Software\Kugoo
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\shnv
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PCID
HKEY_ALL_USERS\Software\Srng
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{14B3D246-6274-40B5-8D50-6C2ADE2AB29B}
- Adds the value:
"PCID" = "random value"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
- Adds one of the values:
"srng"
"kugoo"
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- Adds the values:
"Use search Asst" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
"Use Custom Search URL" = "0x00000000"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
- Adds the values:
"Search Page" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
"Search Bar" = "http:/ /pop.popuptoast.com/9899/search/search.html"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
- Adds the values:
"Search Assistant" = "http:/ /pop.popuptoast.com/9899/search/search.html"
"CustomizeSearch" = ""
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
- Adds the values:
"Search Assistant" = "http:/ /pop.popuptoast.com/9899/search/search.html"
"CustomizeSearch" = ""
to the registry subkey:
HKEY_ALL_USERS\SOFTWARE\Microsoft\Internet Explorer\Search
- Adds the values:
"Search Bar" = "http:/ /pop.popuptoast.com/9899/search/search.html"
"Search Page" = "http/ /search.2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s=
to the registry subkey:
HKEY_ALL_USERS\Microsoft\Internet Explorer\Main
- Adds the value:
"DefaultSearchURL" = "http:/ /2020search.com/9899/search/redir.php?cid=shnv9899PCID=default&s="
to the registry subkey:
HKEY_ALL_USERS\SOFTWARE\Microsoft\SearchAssistant
- Adds the value:
"provider" = "msn"
to the registry subkey:
HKEY_ALL_USERS%\Software\Microsoft\Internet Explorer\SearchURL
- Modifies the value:
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft"
to the registry subkey:
HKEY_ALL_USERS%\Software\Microsoft\Internet Explorer\URLSearchHooks
- Sends the Windows account name and previous search settings to a predetermined server.
- May load and install arbitrary code from its server.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
