Updated: February 13, 2007 11:38:59 AM
Type: Adware
Risk Impact: High
File Names: Runwin32.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.EasySearch runs, it does the following:
- Downloads a program from a predetermined site and installs it as:
%Windir%\iau.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- Copies the above program to the following files:
- %Windir%\stisvsq.exe
- %Windir%\svshost.exe
- %Windir%\msqdevl.exe
- %Windir%\lssas.exe
- %Windir%\mservice.exe
- Adds the value:
"Start Page"="[URL on the domain easy-search.biz]"
to the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
to redirect the Internet Explorer start page.
- Adds the values:
"ProxyServer"="127.0.0.1:8080"
"ProxyOverride"="local"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
to set Adware.EasySearch as a proxy server that Internet Explorer uses to access the Internet.
- Adds the values:
"Microsoft Internet Acceleration Utility"="iau.exe"
"Internet Connection Wizard"="stisvsq.exe"
"Games Acceleration"="svshost.exe"
"Internet Mail and News"="msqdevl.exe"
"Microsoft Management Console"="lssas.exe"
"Multimedia extensions"="mservice.exe"
to the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that Adware.EasySearch runs when Windows starts.
- Runs on port 8080 on the infected computer as a proxy to Internet Explorer.
- Periodically redirects the user to one of the following domains:
- worldtracker.biz
- pornlandz.com
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
