1. /
  2. Security Response/
  3. Adware.180Search

Adware.180Search

Updated:
February 13, 2007 11:37:46 AM
Type:
Adware
Publisher:
180Solutions
Risk Impact:
Medium
File Names:
Msbb.exe Boomerang.exe 180SAInstaller.dll setup4156.exe sac.exe sau.exe 1802.dll salmbundle
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.180Search is executed, it does the following:
  1. May create the following folder:

    %Windir%\FLEOK\

    Notes:
    %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).

  2. Installs itself to one or more of the following locations:

    • %ProgramFiles%\180search Assistant\sain.exe
    • %ProgramFiles%\180search Assistant\hsr.dll
    • %ProgramFiles%\180search Assistant\sau.exe
    • %ProgramFiles%\180search Assistant\sau.log
    • %ProgramFiles%\180search Assistant\sau.dll
    • %ProgramFiles%\180search Assistant\sau_[3 RANDOM LETTERS].dat
    • %ProgramFiles%\180search Assistant\sauau.dat
    • %ProgramFiles%\180search Assistant\sac.exe
    • %ProgramFiles%\180searchassistant\salm.exe
    • %ProgramFiles%\180searchassistant\salmau_update.dat
    • %ProgramFiles%\180searchassistant\salm.dat
    • %ProgramFiles%\180searchassistant\salm_[3 RANDOM LETTERS].dat
    • %ProgramFiles%\180searchassistant\salm_3 RANDOM LETTERS]_update.dat
    • %ProgramFiles%\180searchassistant\sac_[3 RANDOM LETTERS]_update.dat
    • %ProgramFiles%\180searchassistant\sac_[3 RANDOM LETTERS].dat
    • %ProgramFiles%\180searchassistant\sackyf.dat
    • %ProgramFiles%\180searchassistant\sacau.dat
    • %Windir%\[RANDOM FILE NAME].exe
    • %Windir%\salm.exe
    • %Windir%\salm[Random letters].dat
    • %Windir%\salm_gdf.dat
    • %Windir%\salm_kyf.dat
    • %Windir%\salm.log
    • %Temp%\180sainstallernusalm.exe
    • %UserProfile%\Local Settings\Temp\180ax.exe
    • %UserProfile%\Local Settings\Temp\180ax.log
    • %Windir%\ClientInstaller.log

      Notes:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[Current User] (Windows NT/2000/XP).

  3. May create the following files:

    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\180search Assistant\180search Assistant.com.url
    • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\180search Assistant\Uninstall 180search Assistant Instructions.lnk

      Note: %SystemDrive% is a variable that refers to the drive on which Windows is installed. By default, this is drive C.

  4. May add the values:

    "MSBB" = "[PATH TO FILE]"
    "sau" = "%ProgramFiles%\180search assistant\sau.exe"
    "sac" = "%ProgramFiles%\180searchassistant\sac.exe"
    "sain" = "%ProgramFiles%\180search assistant\sain.exe"
    "salm" = "[PATH TO FILE]\"salm.exe"
    "180ax" = "%userprofile%\local settings\temp\180ax.exe"
    "[RANDOM FILE NAME]" = "%Windir%\[RANDOM FILE NAME].exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs when every time Windows starts.

  5. Creates some of the following registry entries:

    HKEY_CLASSES_ROOT\CLSID\{B10031B2-F184-4803-9A88-D239C0641D70}
    HKEY_CLASSES_ROOT\Interface\{A79F8202-E09D-4F0F-AD4D-DCAE1DAC5994}
    HKEY_CLASSES_ROOT\TypeLib\{F2BF4713-E933-4B66-8694-22ED243709C7}
    HKEY_CLASSES_ROOT\180SAInstaller.180SAInstaller
    HKEY_CLASSES_ROOT\180SAInstaller.180SAInstaller.1
    HKEY_LOCAL_MACHINE\SOFTWARE\sau
    HKEY_LOCAL_MACHINE\SOFTWARE\sac
    HKEY_LOCAL_MACHINE\SOFTWARE\sain
    HKEY_LOCAL_MACHINE\SOFTWARE\salm
    HKEY_LOCAL_MACHINE\SOFTWARE\180ax
    HKEY_CURRENT_USER\Software\sau
    HKEY_CURRENT_USER\Software\sac
    HKEY_CURRNET_USER\Software\sain
    HKEY_CURRENT_USER\SOFTWARE\salm
    HKEY_CURRENT_USER\SOFTWARE\180ax
    HKEY_CURRENT_USER\Software\180solutions
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\180ax

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\nCASE
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\msbb
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\sac
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\sain
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\salm

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Uninstall\sau


  6. May add the value:

    "LoginSessionDisable" = "1"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control

    to prevent the risk from causing the system to automatically dial to an ISP.

  7. Monitors the contents of Web browser windows. When certain (configurable) keywords are detected in Web search or shopping browser windows, the adware displays the Web page of a partner site. The information collected includes:

    • Words typed into the Web browser.
    • The address of Web site that words were typed into.
    • Operating System version (including service pack).
    • Web browser used (including exact version number).
    • Screen width and height.

  8. Monitors the state of the adware application, if the adware is partially removed, it will reinstall the missing components.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver