1. /
  2. Security Response/
  3. Adware.Begin2search

Adware.Begin2search

Updated:
February 13, 2007 11:39:45 AM
Type:
Adware
Risk Impact:
High
File Names:
reg6523.exe winb2s32.dll trgen[NUMBER].dll winbbb.rtneg[NUMBER].dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Begin2search is executed, it performs the following actions:
  1. Creates the following files:

    • %System%\reg6523.exe
    • %System%\winb2s32.dll
    • %System%\winbbb.dat
    • %System%\dsktrf.dll
    • %System%\ns[RANDOM CHARACTERS].dll
    • %System%\trgen[NUMBER].dll
    • %System%\rtneg[NUMBER].dll
    • %System%\gpstool.dll
    • %System%\gwss.dll
    • %Windir%\Downloaded Program Files\winb2s32.inf

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP)or C:\Winnt (Windows NT/2000).

  2. May create the file msg.bin in one of the following folders:

    • %System%\cache32<RANDOM>
    • %System%\b2s_cache

  3. Creates a number of .url links in the following locations:
    • %UserProfile%\Desktop
    • %UserProfile%\Favorites

      Note: %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).

  4. Creates a number of .ico files in the %System% folder. These filenames will normally end in a random series of digits.

  5. Adds some or all of the following registry subkeys:


    HKEY_CLASSES_ROOT\dsktrf.amo
    HKEY_CLASSES_ROOT\dsktrf.amo.1
    HKEY_CLASSES_ROOT\dsktrf.iiittt
    HKEY_CLASSES_ROOT\dsktrf.iiittt.1
    HKEY_CLASSES_ROOT\dsktrf.momo
    HKEY_CLASSES_ROOT\dsktrf.momo.1
    HKEY_CLASSES_ROOT\dsktrf.ohb
    HKEY_CLASSES_ROOT\dsktrf.ohb.1
    HKEY_CLASSES_ROOT\trfdsk.amo
    HKEY_CLASSES_ROOT\trfdsk.amo.1
    HKEY_CLASSES_ROOT\trfdsk.iiittt
    HKEY_CLASSES_ROOT\trfdsk.iiittt.1
    HKEY_CLASSES_ROOT\trfdsk.momo
    HKEY_CLASSES_ROOT\trfdsk.momo.1
    HKEY_CLASSES_ROOT\trfdsk.ohb
    HKEY_CLASSES_ROOT\trfdsk.ohb.1
    HKEY_CLASSES_ROOT\winb2s.dbi
    HKEY_CLASSES_ROOT\winb2s.dbi.1
    HKEY_CLASSES_ROOT\winb2s.iiittt
    HKEY_CLASSES_ROOT\winb2s.iiittt.1
    HKEY_CLASSES_ROOT\winb2s.momo
    HKEY_CLASSES_ROOT\winb2s.momo.1
    HKEY_CLASSES_ROOT\winb2s.ohb
    HKEY_CLASSES_ROOT\winb2s.ohb.1
    HKEY_CLASSES_ROOT\winb2s.amo
    HKEY_CLASSES_ROOT\winb2s.amo.1
    HKEY_CLASSES_ROOT\<DLL_FILENAME>
    HKEY_CLASSES_ROOT\<DLL_FILENAME>.1
    HKEY_CLASSES_ROOT\CLSID\{07e9cdf4-20d2-46b1-b681-663968f527ce}
    HKEY_CLASSES_ROOT\CLSID\{0962DA67-DB64-465C-8CD7-CBB357CAF825}
    HKEY_CLASSES_ROOT\CLSID\{09c14745-90fd-42d1-9276-4924d7dbc274}
    HKEY_CLASSES_ROOT\CLSID\{0D2C959E-BA6A-4BBA-97AD-5BCA3F416F4D}
    HKEY_CLASSES_ROOT\CLSID\{12CB5A72-9CBD-4C3C-999D-140C5D196068}
    HKEY_CLASSES_ROOT\CLSID\{22B720C7-5FA6-40A8-9F8F-8584BF669690}
    HKEY_CLASSES_ROOT\CLSID\{22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB}
    HKEY_CLASSES_ROOT\CLSID\{356B2BD0-D206-4E21-8C85-C6F49409C6A9}
    HKEY_CLASSES_ROOT\CLSID\{486145B0-37D1-428B-B3E1-26D26F690C79}
    HKEY_CLASSES_ROOT\CLSID\{4d568f0f-8ac9-40ab-88b7-415134c78777}
    HKEY_CLASSES_ROOT\CLSID\{52ADD86D-9561-4C40-B561-4204DBC139D1}
    HKEY_CLASSES_ROOT\CLSID\{52fe5233-367c-4efb-bdd7-0be4d212c107}
    HKEY_CLASSES_ROOT\CLSID\{
    CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
    HKEY_CLASSES_ROOT\CLSID\{62631E26-B5A1-4AC4-A3AE-1CB72C6819C5}
    HKEY_CLASSES_ROOT\CLSID\{7c5e5671-7a1d-4ae8-91f0-496adf2825f7}
    HKEY_CLASSES_ROOT\CLSID\{82F55658-CA6D-4754-B313-5DCAAFA0BB42}
    HKEY_CLASSES_ROOT\CLSID\{999A06FF-10EF-4A29-8640-69E99882C26B}
    HKEY_CLASSES_ROOT\CLSID\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
    HKEY_CLASSES_ROOT\CLSID\{D7A7442D-85A9-475F-82F9-65ED4110B4C5}
    HKEY_CLASSES_ROOT\CLSID\{E4776F3A-6936-4A9C-B2DA-E57C239FD2F8}
    HKEY_CLASSES_ROOT\CLSID\{FF81672F-13FF-401F-8662-6E895C564CC4}
    HKEY_CLASSES_ROOT\Interface\{018C5406-AEE6-4A68-980F-2CEB1E9416FB}
    HKEY_CLASSES_ROOT\Interface\{02B577D5-2212-42F3-AD51-2F6A9AE43233}
    HKEY_CLASSES_ROOT\Interface\{0A7FC040-F84A-4AD7-9439-798B6C0F861E}
    HKEY_CLASSES_ROOT\Interface\{17973BD7-959C-4D8A-8B2F-AB200E20A75E}
    HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}
    HKEY_CLASSES_ROOT\Interface\{3567EB04-1CBD-4CDE-A75B-0926BDC09694}
    HKEY_CLASSES_ROOT\Interface\{35AE618D-45F7-4AA7-A373-300DCB98858A}
    HKEY_CLASSES_ROOT\Interface\{42F58F60-9299-4564-9ABD-8E9324844560}
    HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}
    HKEY_CLASSES_ROOT\Interface\{6C74660B-1019-44A1-90DB-73D148CD3D83}
    HKEY_CLASSES_ROOT\Interface\{6FE4AADF-EDAC-4037-9164-0B60179A4F12}
    HKEY_CLASSES_ROOT\Interface\{696D1AF8-D0FF-42FD-BD8D-D0B20D64F508}
    HKEY_CLASSES_ROOT\Interface\{71C456DD-F55B-46CE-ADCF-53D5899B8F79}
    HKEY_CLASSES_ROOT\Interface\{806FCA2B-146F-4DC3-9CE7-3C576FEA15C3}
    HKEY_CLASSES_ROOT\Interface\{8BF896EC-DBA2-4415-A30A-246DA121825B}
    HKEY_CLASSES_ROOT\Interface\{8FC08358-3634-44C7-A8F2-96DC7F39ACD2}
    HKEY_CLASSES_ROOT\Interface\{A797A41D-F9F0-4A32-B9B5-AF927CB5AE54}
    HKEY_CLASSES_ROOT\Interface\{AABA5D92-6CBD-4F4D-A718-EB6BAF59EB4C}
    HKEY_CLASSES_ROOT\Interface\{B12508AD-CA55-4238-8DB3-55808BA6915A}
    HKEY_CLASSES_ROOT\Interface\{B481FEE7-CECB-402F-BCB9-8C612AA5F63D}
    HKEY_CLASSES_ROOT\Interface\{BF7CB2C3-55B6-44C1-9615-920D004C27F7}
    HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}
    HKEY_CLASSES_ROOT\Interface\{C29B2FB8-E65F-4239-BB2B-E52BC74B78B7}
    HKEY_CLASSES_ROOT\Interface\{CB08E48A-FE7E-4F13-8593-B7AE6EC81D83}
    HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}
    HKEY_CLASSES_ROOT\Interface\{DE53FA5D-11CC-4CB5-8D8E-EB5AA59C1E5A}
    HKEY_CLASSES_ROOT\Interface\{E38924F7-F290-4C13-BEEC-E8C587F58128}
    HKEY_CLASSES_ROOT\Interface\{EF90EB04-44C3-4AE5-9D01-C8DEF134D82A}
    HKEY_CLASSES_ROOT\Interface\{F912C325-5B26-4AD6-BF39-84370833E972}
    HKEY_CLASSES_ROOT\Interface\{FA82A7EC-2AFC-4EE0-8F83-3229F7C6437E}
    HKEY_CLASSES_ROOT\TypeLib\{081DE2F6-927B-4AA9-88C1-F531C9387383}
    HKEY_CLASSES_ROOT\TypeLib\{45782901-BA9F-422D-B231-BCB6487FAC4B}
    HKEY_CLASSES_ROOT\TypeLib\{64440E59-A0DD-421C-AA4B-268141D764BB}
    HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}
    HKEY_CLASSES_ROOT\TypeLib\{FB07B291-4472-4C55-96C7-A3C8A48F4075}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22B720C7-5FA6-40A8-9F8F-8584BF669690}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22DFEAE8-9AD2-4FC6-9CBA-A6566CA3B6EB}
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4d568f0f-8ac9-40ab-88b7-415134c78777}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{999A06FF-10EF-4A29-8640-69E99882C26B}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01}
    HKEY_CURRENT_USER\Software\6w23hdcsgt
    HKEY_CURRENT_USER\Software\_gpstool
    HKEY_CURRENT_USER\Software\_trgen
    HKEY_CURRENT_USER\Software\_rtneg
    HKEY_CURRENT_USER\Software\_rtneg2
    HKEY_CURRENT_USER\Software\_rtneg3
    HKEY_CURRENT_USER\Software\_dsktptr
    HKEY_CURRENT_USER\Software\_<DLL_FILENAME>
    HKEY_CURRENT_USER\Software\aaa_soft
    HKEY_CURRENT_USER\Software\drelkge789AEF5
    HKEY_CURRENT_USER\eeennn
    HKEY_CURRENT_USER\Software\RecordNRip

    Note: The variable <DLL_FILENAME> refers to the name of the dll file created in Step 1.

  6. Adds the values:

    "www.warezenergy.com"
    "www.consoleunderground.com"


    to the registry key

    HKEY_CURRENT_USER\software\microsoft\intenet explorer\new window\allow

  7. May modify Internet Explorer's search settings by modifying the values

    SearchURL
    Search Bar
    Search Bar
    Search Page
    SearchAssistant

    under the registry subkeys:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

  8. Adds a search toolbar to Internet Explorer.

  9. Displays pop-up advertisements.

  10. May add the following value:

    "{52FE5233-367C-4EFB-BDD7-0BE4D212C107}" = ""

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar


  11. May download one or more of the following links to the desktop:

    • Download Free Movies.url
    • Download Free Movies.url
    • Download Free Music.url
    • Download Movies.url
    • Download MP3s.url
    • Free Bose Stereo.url
    • Free IBM Laptop.url
    • Free IBM ThinkPad.url
    • Free Platinum Card.url
    • Free Poker.url
    • Free Porn.url
    • Free Sony PS3.url
    • Free XBox 360.url
    • Gambling Board.url
    • Hot Sexy Mamma.url
    • Kill All Spyware.url
    • Kill Evidence.url
    • Kill Spyware.url
    • Kill Viruses.url
    • Kmart Smart Card.url
    • Online Sex.url
    • Party Poker.url
    • Play Bingo.url
    • Popup Blocker.url
    • Popup Killer.url
    • Rate Me.url
    • Rate My Body.url
    • Record Music.url
    • Remove Porn.url
    • SexSearch.url
    • Sexy Ringtones.url
    • Spyware Killer.url
    • Spyware Remover.url
    • Virus Hunter.url
    • YAHOOOOO!.url


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver