Updated: February 13, 2007 11:35:02 AM
Type: Adware
Publisher: IBIS LLC
Risk Impact: Low
File Names:
common.dll
IExploreSkins.exe
PIB.exe
QDow_AS2.dll
setupex.exe
TBPS.exe
toolbar.dll
WSG.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.Websearch is executed, it performs the following actions:
- May create the following registry entries, each of which may contain multiple subkeys:
HKEY_CLASSES_ROOT\CLSID\{0A68C5A2-64AE-4415-88A2-6542304A4745}
HKEY_CLASSES_ROOT\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}
HKEY_CLASSES_ROOT\CLSID\{339BB23F-A864-48C0-A59F-29EA915965EC}
HKEY_CLASSES_ROOT\CLSID\{69357D4E-BF4D-4651-91E9-52ECD45A0128}
HKEY_CLASSES_ROOT\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}
HKEY_CLASSES_ROOT\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}
HKEY_CLASSES_ROOT\CLSID\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
HKEY_CLASSES_ROOT\CLSID\{87766247-311C-43B4-8499-3D5FEC94A183}
HKEY_CLASSES_ROOT\CLSID\{8952A998-1E7E-4716-B23D-3DBE03910972}
HKEY_CLASSES_ROOT\CLSID\{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}
HKEY_CLASSES_ROOT\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}
HKEY_CLASSES_ROOT\CLSID\{A8DEB4A5-D9EF-4D21-B4F6-921475004E7D}
HKEY_CLASSES_ROOT\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}
HKEY_CLASSES_ROOT\CLSID\{CABCF5E7-0C79-4F1C-909D-B9CF68FED746}
HKEY_CLASSES_ROOT\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}
HKEY_CLASSES_ROOT\CLSID\{F1616B86-9288-489D-B71A-0CCF2F1A89DA}
HKEY_CLASSES_ROOT\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A}
HKEY_CLASSES_ROOT\CLSID\{FF76A5DA-6158-4439-99FF-EDC1B3FE100C}
HKEY_CLASSES_ROOT\TypeLib\{37AC49E3-E906-4BD8-AE83-D0F7FB48FD17}
HKEY_CLASSES_ROOT\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06}
HKEY_CLASSES_ROOT\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}
HKEY_CLASSES_ROOT\TypeLib\{D8BD4DED-5BB2-4D4E-9A6A-F10244FED7D6}
HKEY_CLASSES_ROOT\TypeLib\{DB9A4E78-35DF-4A54-B6C5-C5190CEAF949}
HKEY_CLASSES_ROOT\Interface\{234F09FB-FE89-4C6D-9203-31832FC051C3}
HKEY_CLASSES_ROOT\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}
HKEY_CLASSES_ROOT\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}
HKEY_CLASSES_ROOT\Interface\{66C22569-F05C-4A70-A142-763B337E1002}
HKEY_CLASSES_ROOT\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}
HKEY_CLASSES_ROOT\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}
HKEY_CLASSES_ROOT\Interface\{BD6F129A-08DB-4CC5-A75A-F2AB79E55B6E}
HKEY_CLASSES_ROOT\Interface\{D1951679-1D52-43FC-9585-0737143585F5}
HKEY_CLASSES_ROOT\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{0A68C5A2-64AE-4415-88A2-6542304A4745}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{87766247-311C-43B4-8499-3D5FEC94A183}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{8952A998-1E7E-4716-B23D-3DBE03910972}
HKEY_CLASSES_ROOT\Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_CLASSES_ROOT\Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Features
\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\Products
\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Installer\UpgradeCodes
\53E709BA426171644AFC9A3F08B933A7
HKEY_CLASSES_ROOT\Installer\UpgradeCodes
\53E709BA426171644AFC9A3F08B933A7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
\Distribution Units\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\Components\C3D2CDB9A41E452EA544AB5033418FCB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\Features\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\Products\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\UpgradeCodes\53E709BA426171644AFC9A3F08B933A7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\UserData\S-1-5-18\Components\C3D2CDB9A41E452EA544AB5033418FCB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\UserData\S-1-5-18\Products\CA2E4A17C7EE67447B98D93D8144E0D0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\{71A4E2AC-EE7C-4476-B789-9DD318440E0D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Setup\RC
HKEY_CURRENT_USER\Software\MSIETS
HKEY_CURRENT_USER\Software\Toolbar
HKEY_CURRENT_USER\Software\Toolbar\Files\SVC
HKEY_CURRENT_USER\Software\Toolbar\Files\TBR
HKEY_CURRENT_USER\Software\Toolbar\PlugIns\COMMON
HKEY_CURRENT_USER\Software\WinTools
HKEY_CLASSES_ROOT\Common.Buttons\Clsid
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tpro
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\toolbar.ResProtocol
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\WToolsB.ResProtocol
HKEY_CLASSES_ROOT\Radio.RadioPlayer
HKEY_CLASSES_ROOT\TBPS.PluginConfig
HKEY_CLASSES_ROOT\TBPS.PluginDown
HKEY_CLASSES_ROOT\TBPS.PluginEvents
HKEY_CLASSES_ROOT\TBPS.PluginInst
HKEY_CLASSES_ROOT\TBPS.PluginServer
HKEY_CLASSES_ROOT\TBPS.ToolbarScript
HKEY_CLASSES_ROOT\toolbar.IToolbarScriptClass
HKEY_CLASSES_ROOT\toolbar.ResProtocol
HKEY_CLASSES_ROOT\WSG.WSGObj
HKEY_CLASSES_ROOT\WToolsB.ResProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\UserData\STO
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\TTOOL_UNINSTALL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\WinTools
HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\COMMON
HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\SVC
HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files\TBR
HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns\COMMON
HKEY_LOCAL_MACHINE\SOFTWARE\WinTools
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TBPSSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\websearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\CustomizeSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SearchAssistant
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{26E8361F-BCE7-4F75-A347-98C88B418322}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63B78BC1-A711-4D46-AD2F-C581AC420D41}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26E8361F-BCE7-4F75-A347-98C88B418321}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BTIEINScriptConfigProj.BTIEINScriptConfig
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63B78BC1-A711-4D46-AD2F-C581AC420D41}
HKEY_LOCAL_MACHINE\SOFTWARE\BTIEIN
HKEY_CURRENT_USER\Software\BTIEIN
- May add the values:
"TBPS" = ""
"WinTools" = ""
"OETool" = ""
"TB_setup"= ""
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
- May add the value:
"{339BB23F-A864-48C0-A59F-29EA915965EC}" = ""
to the registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser
- May add the values:
"{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}" = "00"
"{339BB23F-A864-48C0-A59F-29EA915965EC}" = "00"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
- May add the values:
"{8952A998-1E7E-4716-B23D-3DBE03910972}" = ""
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
- May add the values:
"TUID" = ""
"WTInstallDate" = ""
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
- May add the values:
"%SystemDrive%/WINDOWS/Downloaded Program Files/QDow_AS2.dll
\{87067F04-DE4C-4688-BC3C-4FCF39D609E7}" = ""
"%SystemDrive%/WINDOWS/Downloaded Program Files/QDow_AS2.dll
\.Owner" = "{87067F04-DE4C-4688-BC3C-4FCF39D609E7}"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.
- May add the value:
"%CommonProgramFiles%\MSIETS\" = ""
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Installer\Folders
Note: %CommonProgramFiles% is a variable that refers to the Common Files folder. By default, this is C:\Program Files\Common Files.
- May add the value:
"%Windir%\Downloaded Program Files\QDow_AS2.dll" = "1"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- May modify the value:
"ShellNext" = "[path to executable]"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard
- May modify the value:
"Search Bar" = "[Web site on the websearch.com or huntbar.com domain]"
in the registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
- May modify the value:
"Start Page" = "[Web site on the websearch.com or huntbar.com domain]"
in the registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
- May modify the value:
"CustomizeSearch" = "res://%SystemDrive%\PROGRA~1\Toolbar\toolbar.dll/sa"
in the registry subkeys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
- May modify the value:
"SearchAssistant" = "[Web site on the websearch.com or huntbar.com domain]"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
- Attempts to download files from a predetermined Web site. If the download is successful, it decompresses the files into multiple folders, and starts multiple programs. Files may be created in the following folders:
- %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools
- %CommonProgramFiles%\WinTools
- %CommonProgramFiles%\WinTools\Update
- %ProgramFiles%\Toolbar
- %ProgramFiles%\Toolbar\Cursors
- %ProgramFiles%\Toolbar\Recordings
- %ProgramFiles%\Toolbar\Skins
- %ProgramFiles%\Toolbar\Update
- %ProgramFiles%\websearch
- [original folder]\Cursors
- [original folder]\Skins
- [original folder]\temp
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files. <original folder> refers to the folder the adware was executed in.
- Appears in the Internet Explorer as a search toolbar, and in the System Tray as an icon.
- Logs keywords from searches and sends the logs to a predetermined Web site.
- May download an updated version of itself.
- May open Internet Explorer to www.websearch.com.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
