1. /
  2. Security Response/
  3. Adware.Iefeats

Adware.Iefeats

Updated:
February 13, 2007 11:43:30 AM
Type:
Adware
Risk Impact:
High
File Names:
Msiesh.dll iefeatsl.dll image.dll Mshp.dll f2install.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Iefeats installer is executed, it performs the following actions:
  1. Creates the following file:


    %SystemDrive%\f2install.log

    Note:
    %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  2. Adds the value:

    "[NAME OF THE INSTALLER FILE]" = "[LOCATION AND NAME OF THE INSTALLER FILE]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the installer runs every time Windows starts.

  3. Creates and populates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[INSTALLER CLSID]

    where [installer clsid] is a semi-random CLSID determined by location and file name of the installer.

  4. Downloads encrypted service and Browser Helper Object from one or more of following domains:

    • u47.cc
    • u45.cx
    • u48.cc
    • u46.cx

      Decrypts the files, merges them with up to 1024 random bytes and saves as %Windir%\[random executable name] or %System%\[RANDOM EXECUTABLE NAME], where [RANDOM EXECUTABLE NAME] is file name generated by the installer, combining one of the following strings:

    • sdk
    • java
    • cr
    • d3
    • ms
    • ie
    • sys
    • win
    • add
    • app
    • atl
    • mfc
    • api
    • net
    • ip
    • nt

      with two random letters often followed by the string "32" and having one of the following extensions:

    • .dll
    • .exe

      Additionally the installer downloads encrypted resources file from one of the above listed domains. Decrypts it and saves as %Windir%\[RANDOM 5 LETTERS].dll or %System%\[RANDOM 5 LETTERS].dll

      Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  5. Adds the value:

    "[NAME OF THE SERVICE FILE]" = "[LOCATION AND NAME OF THE SERVICE FILE]"

    for downloaded service to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    so that the service could be run on next Windows start.

  6. For downloaded service and Browser Helper Object creates and populates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\[SERVICE CLSID]
    HKEY_CLASSES_ROOT\CLSID\[BHO CLSID]

    Note: [SERVICE CLSID] and [BHO CLSID] are semi-random CLSIDs determined by location and file name of the components.

  7. Executes the service and initializes the Browser Helper Object.

  8. May periodically display message boxes or alert balloons resembling legitimate behaviour of operating system to trick user into visiting possibly malicious web sites.

  9. Attempts to avoid removal by:

    • making backup copies of associated service and Browser Helper Object components to [6 random characters].dat files or randomly named NTFS alternate data streams of existing files in %Windir% folder;
    • restoring missing components;
    • downloading and reinstalling missing components when necessary;
    • recreating the CLSID registry subkeys and updating them with information necessary to locate other components of Adware.Iefeats.

  10. May attempt to download additional security risks and threats.


When downloaded service is executed, it performs the following actions:
  1. Attempts to remove the following registry subkeys:

    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/html
    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/plain
    HKEY_CLASSES_ROOT\CLSID\[HTML FILTER CLSID]
    HKEY_CLASSES_ROOT\CLSID\
    [PLAIN FILTER CLSID]

    Note: [HTML FILTER CLSID] and[PLAIN FILTER CLSID] are values of CLSID entries of the subkeys:

    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/html
    HKEY_CLASSES_ROOT\PROTOCOLS\filter\text/plain

    Additionally attempts to delete the files referenced by default entries of the subkeys:

    HKEY_CLASSES_ROOT\CLSID\[HTML FILTER CLSID]\InProcServer32
    HKEY_CLASSES_ROOT\CLSID\[PLAIN FILTER CLSID]
    \InProcServer32

  2. Attempts to remove the value:

    "AppInit_DLLs"

    of the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

    and delete file referenced by this value.

  3. Installs obscurely named service with image path:

    "[LOCATION AND NAME OF THE SERVICE FILE] /s"


    and one of the following display names:

    • Network Security Service
    • Network Security Service (NSS)
    • Remote Procedure Call (RPC) Helper
    • Workstation NetLogon Service

Note: The service duplicates the following functionality of the installer in attempt to avoid removal:
    • recreating the value in the RunOnce registry subkey;
    • making copies and restoring missing components from backups;
    • recreating the CLSID registry subkeys and updating them with information necessary to locate other components of Adware.Iefeats.


When downloaded Browser Helper Object is initialized, it performs the following actions:
  1. Creates and populates the following registry subkeys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\HSA
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SE
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SW

    to create links to Web pages providing non-functional uninstallers for the following programs:

    • Home Search Assistent
    • Search Extender
    • Shopping Wizard

  2. Creates and populates the following registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[BHO CLSID]

    to register itself as a Browser Helper Object.

  3. Replaces Internet Explorer search functionality by removing the following registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks


    and adds the value:

    "[BHO CLSID]" = "0x00 [38 MEANINGLESS BYTES]"

    to the recreated subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks

  4. May create various links in the following folders:
    • %UserProfile%\Favourites
    • %UserProfile%\Favourites\Sites

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

Once this occurs, when Internet Explorer is opened, the Browser Helper Object does the following:
  1. Downloads encrypted configuration and data files from one or more of following domains:

    • u47.cc
    • u45.cx
    • u48.cc
    • u46.cx

      Decrypts the files and saves as %Windir%\[RANDOM FILE NAME] or %System%\[RANDOM FILE NAME].

  2. Adds the value:

    "Set"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft

  3. Adds the value:

    "ImageDescriptor"

    to the registry subkey:

    HKEY_CLASSES_ROOT\icofile

  4. Modifies the values:

    "Default_Page_URL" = "about:blank"
    "Default_Search_URL" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049
    "Use Search Asst" = "no"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  5. Modifies the values:

    "Search Bar" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049
    "Search Page" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049
    "Start Page" = "about:blank"

    in the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

  6. Modifies the values:

    "SearchAssistant" = "res://[LOCATION AND NAME OF RESOURCES FILE]/sp.html#37049

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search

  7. Attempts to disable and damage various Security Risks by terminating processes, deleting files and removing registry subkeys. Because the algorithm used by this adware lacks the capability for proper detection of Security Risks, it may also damage legitimate processes and files. Additionally it deletes the following legitimate file:

    %System%\drivers\etc\hosts

    and the folder:

    %Windir%\LastGood

  8. Creates the following registry subkey:

    HKEY_CLASSES_ROOT\CLSID\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

  9. Displays pop-up ads and contacts various web sites without user permission.

Note: The Browser Helper Object duplicates the following functionality of the installer to complicate adware removal:
    • making copies and restoring missing components from backups;
    • downloading and reinstalling missing components when necessary;
    • recreating the CLSID registry subkeys and updating them with information necessary to locate other components of Adware.Iefeats.


Older versions of this adware may:
  1. Adds the value:

    "Image"= "rundll32 [LOCATION OF image.dll]\image.dll,UpdateDll fs"

    to the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

  2. Adds the value:

    "Updater"= "rundll32 [LOCATION OF iefeatsl.dll]iefeatsl.dll\1.new,UpdateDll fs"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

  3. Creates and populate the registry subkey:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\iefeatsl

  4. Registers Browser Helper Objects by creating and populating the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{0B40A54D-BEC3-4077-9A33-701BD6ACDEB2}
    HKEY_CLASSES_ROOT\CLSID\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
    HKEY_CLASSES_ROOT\CLSID\
    {FD9BC004-8331-4457-B830-4759FF704C22}
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource
    HKEY_CLASSES_ROOT\iefeatsl.ViewSource.1
    HKEY_CLASSES_ROOT\Image.Image
    HKEY_CLASSES_ROOT\Image.Image.1
    HKEY_CLASSES_ROOT\
    SearchHook.SearchHookObject
    HKEY_CLASSES_ROOT\
    SearchHook.SearchHookObject.1
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4C9E-92C2-1F953DA73773}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\{FD9BC004-8331-4457-B830-4759FF704C22}

  5. Sets the Internet Explorer Start Page to a URL on the domain mshp.dll, and then display a search engine page when the browser is opened.

  6. Downloads the following files:

    • [ADWARE FOLDER]\iefeatsl.dll
    • [ADWARE FOLDER]\image.dll
    • [ADWARE FOLDER]\msiesh.dll
    • [ADWARE FOLDER]\mssearch.dll (not available at the time of this writeup)
    • %Windir%\mshp.dll
    • [ADWARE FOLDER]\dict.dat (a configuration file)
    • [ADWARE FOLDER]\keywords.dat (a configuration file)
    • [ADWARE FOLDER]\update.txt (a configuration file)

      where [ADWARE FOLDER] is adware installation folder, usually %UserProfile%\Application Data\iefeatsl

      Note:
      %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver