1. /
  2. Security Response/
  3. Adware.EasySearch

Adware.EasySearch

Updated:
February 13, 2007 11:38:59 AM
Type:
Adware
Risk Impact:
High
File Names:
Runwin32.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.EasySearch runs, it does the following:

  1. Downloads a program from a predetermined site and installs it as:

    %Windir%\iau.exe

    Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  2. Copies the above program to the following files:
    • %Windir%\stisvsq.exe
    • %Windir%\svshost.exe
    • %Windir%\msqdevl.exe
    • %Windir%\lssas.exe
    • %Windir%\mservice.exe

  3. Adds the value:

    "Start Page"="[URL on the domain easy-search.biz]"

    to the registry keys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

    to redirect the Internet Explorer start page.

  4. Adds the values:

    "ProxyServer"="127.0.0.1:8080"
    "ProxyOverride"="local"

    to the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

    to set Adware.EasySearch as a proxy server that Internet Explorer uses to access the Internet.

  5. Adds the values:

    "Microsoft Internet Acceleration Utility"="iau.exe"
    "Internet Connection Wizard"="stisvsq.exe"
    "Games Acceleration"="svshost.exe"
    "Internet Mail and News"="msqdevl.exe"
    "Microsoft Management Console"="lssas.exe"
    "Multimedia extensions"="mservice.exe"

    to the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that Adware.EasySearch runs when Windows starts.

  6. Runs on port 8080 on the infected computer as a proxy to Internet Explorer.

  7. Periodically redirects the user to one of the following domains:
    • worldtracker.biz
    • pornlandz.com


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver