||||
Symantec.com > Security Response > Threats and Risks > Spyware.2020search
PRINT THIS PAGE

Spyware.2020search

Printer Friendly Page

Updated: February 13, 2007 11:39:10 AM
Type: Spyware
Version: 1.1.1.0
Publisher: Visicom Media
Risk Impact: High
File Names: 2020setup.exe Svchost.exe 2020Search.dll 2020search2.dll Srng.exe
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Spyware.2020search is executed, it performs the following actions:
  1. Replaces Internet Explorer's Search pane with a search page at pop.popuptoast.com/9908/search/search.html.

  2. Installs a new Internet Explorer toolbar.

  3. Downloads Svchost.exe from www.2020search.com/9908/install.

  4. When Internet Explorer is opened, downloads the file, 2020search2tb0200.cfg into www.2020search.com/9908/toolbar.

  5. Creates the following files:

    • %ProgramFiles%\Srng\Srng.exe (this is the bundled Spyware.Shopnav).
    • %Windir%\svchost.exe (A component of Spyware.Shopnav that checks for new versions of Spyware.Shopnav, and downloads and updates newer versions when available. This is detected as Spyware.Shopnav).
    • %Windir%\2020search2.dll (the 2020search toolbar itself detected as Spyware.2020search).

      Notes:
      • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
      • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

  6. Creates the folder:

    %ProgramFiles%\Dynamic Toolbar

  7. Adds the value:

    "Srng"="C:\Program Files\Srng\Srng.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the main Spyware.Shopnav executable runs when you start Windows.

  8. Registers the file, 2020search2.dll, so that it is integrated it into Internet Explorer.

  9. Creates some of the following registry keys:

    HKEY_CLASSES_ROOT\CLSID\{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}
    HKEY_CLASSES_ROOT\CLSID\{FC2493D6-A673-49FE-A2EE-EFE03E95C27C}
    HKEY_CLASSES_ROOT\CLSID\{FC3A74E5-F281-4F10-AE1E-733078684F3C}
    HKEY_CLASSES_ROOT\Interface\{7B9A715E-9D87-4C21-BF9E-F914F2FA953F}
    HKEY_CLASSES_ROOT\Interface\{EAF2CCEE-21A1-4203-9F36-4929FD104D43}
    HKEY_CLASSES_ROOT\Interface\{02CB16D1-4CA7-47FF-8546-C5E925DF33D6}
    HKEY_CLASSES_ROOT\TypeLib\{6D3F5DE4-E980-4407-A10F-9AC771ABAAE6}
    HKEY_CLASSES_ROOT\TypeLib\{E306B3C1-3C68-4EFA-9EBC-0B99C6A918C2}
    HKEY_CLASSES_ROOT\GoRSDN.ContextItem
    HKEY_CLASSES_ROOT\GoRSDN.ContextItem.1
    HKEY_CLASSES_ROOT\Pugi.PugiObj
    HKEY_CLASSES_ROOT\Pugi.PugiObj.1
    HKEY_CLASSES_ROOT\Downloader.Downloader
    HKEY_CLASSES_ROOT\Downloader.Downloader.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2020Search2020Search
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&RSDN Search
    HKEY_CURRENT_USER\Software\2020Search
  10. Adds the value:

    "[default]" = "{4E1075F4-EEC4-4a86-ADD7-CD5F52858C31}"

    to the registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Search by name
Example: W32.Beagle.AG@mm
Limited Time Offers! Save up to 50%
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS