Adware.Blazefind performs the following actions:
- Creates the following files:
- %System%\2_0_1browserhelper2.dll
- %System%\UnstSA2.exe
- %System%\key2.txt
- installer2.exe
- omniscient.exe
- Omniscienthook.dll
- omniband.dll
- wsaupdater.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Registers itself as a Browser Helper Object
- May add the value:
"Windows SA" = "%ProgranFiles%\WindowsSA\omniscient.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs every time Windows starts.
Note: The file omniscient.exe is not always created.
- May modify the values:
"Taskbar" = "[binary data]"
"TaskbarWinXp" = "[binary data]"
in the registry subkey:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop
so that the adware is loaded as taskbar every time the user logs onto Windows.
- May create some of the following files:
- %Windir%\System32car.ico
- %Windir%\System32casino.ico
- %Windir%\System32creditcard.bmp
- %Windir%\System32Go.ico
- %Windir%\System32omniprivacy.khtml
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- May create some of the following registry subkeys:
HKEY_CLASSES_ROOT\BridgeX.Installer
HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand
HKEY_CLASSES_ROOT\WindowsSaBand.WinSaBand.1
HKEY_CLASSES_ROOT\CLSID\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
HKEY_CLASSES_ROOT\CLSID\{14D2CFFE-6656-4BEC-8D9E-DDE6F2D4EAE5}
HKEY_CLASSES_ROOT\CLSID\{C5941EE5-6DFA-11D8-86B0-0002441A9695}
HKEY_CLASSES_ROOT\Interface\{8C505A6B-124B-4768-8FD3-1A066C839848}
HKEY_CLASSES_ROOT\Typelib\{0B3569D7-1EA4-4CBA-AC13-225902619789}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SR 2.0
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Windows SA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
HKEY_LOCAL_MACHINE\Software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows SA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DownloadManager
HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2}
- May exhibit some of the following behaviour:
- Restarts explorer.exe and hooks the .dll into all processes that inherit from IEFrame class.
- Redirects search queries in Internet Explorer to www.blazefind.com
- Adds "Main Links" menu to Internet Explorer browser that contain links to other Web sites.
- Displays advertisements listed in the encrypted file %Windir%\System32\omniprivacy.khtml.
