1. /
  2. Security Response/
  3. Adware.BlazeFind

Adware.BlazeFind

Updated:
February 13, 2007 11:37:03 AM
Type:
Adware
Risk Impact:
High
File Names:
2_0_1browserhelper2.dll unstsa2.exe key2.txt installer2.exe omniscient.exe Omni
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Adware.Blazefind performs the following actions:
    1. Creates the following files:

      • %System%\2_0_1browserhelper2.dll
      • %System%\UnstSA2.exe
      • %System%\key2.txt
      • installer2.exe
      • omniscient.exe
      • Omniscienthook.dll
      • omniband.dll
      • wsaupdater.exe

        Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

    2. Registers itself as a Browser Helper Object

    3. May add the value:

      "Windows SA" = "%ProgranFiles%\WindowsSA\omniscient.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the adware runs every time Windows starts.

      Note: The file omniscient.exe is not always created.

    4. May modify the values:

      "Taskbar" = "[binary data]"
      "TaskbarWinXp" = "[binary data]"


      in the registry subkey:

      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

      so that the adware is loaded as taskbar every time the user logs onto Windows.

    5. May create some of the following files:

      • %Windir%\System32car.ico
      • %Windir%\System32casino.ico
      • %Windir%\System32creditcard.bmp
      • %Windir%\System32Go.ico
      • %Windir%\System32omniprivacy.khtml

        Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

    6. May create some of the following registry subkeys:

      HKEY_CLASSES_ROOT\BridgeX.Installer
      HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
      HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
      HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
      HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
      HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
      HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
      HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
      HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
      HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
      HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
      HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}

    7. May exhibit some of the following behaviour:

      • Restarts explorer.exe and hooks the .dll into all processes that inherit from IEFrame class.
      • Redirects search queries in Internet Explorer to www.blazefind.com
      • Adds "Main Links" menu to Internet Explorer browser that contain links to other Web sites.
      • Displays advertisements listed in the encrypted file %Windir%\System32\omniprivacy.khtml.


    Summary| Technical Details| Removal

    Search Threats

    Search by name
    Example: W32.Beagle.AG@mm
    STAR Antimalware Protection Technologies
    Internet Security Threat Report
    Symantec DeepSight Screensaver