||||
Symantec.com > Security Response > Threats and Risks > Adware.SearchCounter
PRINT THIS PAGE

Adware.SearchCounter

Printer Friendly Page

Updated: February 13, 2007 11:35:56 AM
Type: Adware
Risk Impact: Low
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.SearchCounter is executed, it performs the following actions:
  1. Modifies the following registry keys as shown:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer

    "Search"="<WebAddress>"

    Note: <WebAddress> is a variable. The adware places the value:

    http:/ /%69%6e%2e%77%65%62%63%6f%75%6e%74%65%72%2e%63%63/%2d%2d/?%62%7a%62%6a%72

    in the given registry location.


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main

    "Default_Search"= [WebAddress]
    "Search Page"= [WebAddress]
    "Start Page"= [WebAddress]
    "Use Search Assistant"="yes"


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles

    "User Stylesheet"="%Windir%\hh.htt"
    "Use My Stylesheet"= dword:00000001


    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    "Search Assistant"="<WebAddress>"
    "CustomizeSearch"="<WebAddress>"


    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer

    "ReconfLast"=    dword:07D30C01


    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer

    "Search"="<WebAddress>"
    "SearchURL"="<WebAddress>"


    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main

    "Start Page"="<WebAddress>"
    "Search Page"="<WebAddress>"
    "Default_Search"="<WebAddress>"
    "Default_Page"="<WebAddress>"
    "Use SearchAssistant"= "yes"
    "Search Bar"="<WebAddress>"

    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Search

    "Search Assistant"="<WebAddress>"
    "CustomizeSearch"= "<WebAddress>"


    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles

    "User Stylesheet"="%Windir%\Web\tips.ini"
    "Use My Stylesheet"= dword:00000001
  2. Creates two identical files:
    • %Windir%\Web\tips.ini
    • %Windir%\hh.htt


      These files cause a browser popup window displaying "<WebAddress>" to appear every time an Internet Explorer page contains any of these META tags:
      • sex
      • porn
      • adult
      • thehun

  3. Adds this line to the Hosts file:

    1089288654 auto.search.msn.com

    This causes all the attempts to contact auto.search.msn.com to be redirected to "<WebAddress>"

  4. Adds the following line to the Win.ini file:

    run=fntldr.exe

    This is designed to cause the file Fntldr.exe to be run every time you start Windows 95/98/Me. However, during testing by Security Response, the adware did not create or download the Fntldr.exe file. Instead, error dialogs appear after every logon, stating that Fntldr.exe could not be found.


Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS