Updated: February 13, 2007 11:37:47 AM
Type: Adware
Version: 1.0.0.5
Risk Impact: High
File Names:
Safesearch.exe
Safesearch.dll,
_safesearch.dll,
aanyvkcf.exe,
rgzcdhtn.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.SafeSearch is executed, it performs the following actions:
- Copies itself as one of the following:
- %ProgramFiles%\Primesoft\Safesearch\Safesearch.exe
- %System%\Safesearch.exe
- %System%\aanyvkcf.exe
- %System%\RGZCDHTN.exe
Notes:
- %System% is a variable. The adware locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
- Creates the following files:
- %System%\Safesearch.dll
- %System%\_safesearch.dll
- Adds one of the following values:
"SafeSearch" = "c:\program files\primesoft\safesearch\safesearch.exe"
"AANYVKCF" = "%System%\aanyvkcf.exe"
"TYPE[RANDOM NUMBER]" = "application/x-QSCH"
"RGZCDHTN" = "%System%\RGZCDHTN.exe /install"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that Adware.SafeSearch runs every time Windows starts.
- Adds the value:
"{00000000-0000-0000-0000-000000000001}" = ""
to the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar
so that the Adware.SafeSearch becomes an Internet Explorer Browser Helper Object (BHO).
- Adds the value:
"%System%\aanyvkcf.exe" = "yes"
to the registry subkey:
HKEY_USERS\.DEFAULT\Software\Netscape\Netscape Navigator\User Trusted External Applications
- Searches for and deletes the following files and folders from the compromised computer, which may relate to a previous version of the Adware:
- C:\Program Files\PrimeSoft
- C:\Program Files\PrimeSoft\Safesearch
- C:\Program Files\PrimeSoft\Safesearch\safesearch.exe
- C:\Winnt\System32\safesearch.exe
- C:\Windows\System32\safesearch.exe
- C:\Windows\System\safesearch.exe
- Attempts to create the following registry subkeys:
HKEY_CURRENT_USER\Software\PrimeSoft
HKEY_CURRENT_USER\Software\SafeSearch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\Safesearch
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO.1
HKEY_CLASSES_ROOT\SafeSearch.SafeSearchBHO
HKEY_CLASSES_ROOT\CLSID\{00000000-0000-0000-0000-000000000001}
HKEY_CLASSES_ROOT\Typelib\{CB5006EE-F57D-4116-B7B6-48EB564FE0F0}
HKEY_CLASSES_ROOT\Typelib\{82E9DE01-D860-40E4-B9C1-91F0E8272962}
HKEY_CLASSES_ROOT\Interface\{28E6CCE2-3F2C-4B3D-9CB4-2FC8715A3ECE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\aanyvkcf
HKEY_CLASSES_ROOT\.QSCH
HKEY_CLASSES_ROOT\QSCH File
HKEY_CLASSES_ROOT\mime\database\content type\application/x-QSCH
HKEY_USERS\.default\software\netscape\netscape navigator\suffixes
\application/x-QSCH
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
\{00000000-0000-0000-0000-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Uninstall\RGZCDHTN
HKEY_CURRENT_USER\Software\Program Data
- Redirects Internet Explorer to one of the following addresses:
[http://]204.177.xx.xxx/search/index[REMOVED]
[http://]204.177.xx.xxx/safesearch/inde[REMOVED]
[http://]204.177.xx.xxx/safesearch/inde[REMOVED]
when you try to access the following Web sites:
- eps.new.search.new.net/apps/eps
- www.commonname.com/en/powersearch
- www.ignkeywords.com
- www.searchresult.net
- ieautosearch
- auto.search.msn.com
- sitefinder.verisign.com
- mysearch.myway.com
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
