1. /
  2. Security Response/
  3. Adware.Henbang

Adware.Henbang

Updated:
February 13, 2007 11:41:59 AM
Type:
Adware
Version:
1.0
Risk Impact:
Medium
File Names:
A0066055.exe hap.dll webad.dll
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Henbang is executed, it performs the following actions:
  1. Creates some of the following files:

    • %System%\popcounts.ini.
    • %System%\history.ini
    • %System%\hdp.ini
    • %System%\proc.ini
    • %System%\hda.ini
    • %System%\unregister.ini
    • %System%\drivers\Khdap.sys
    • %System%\drivers\Madbp.sys
    • %System%\drivers\Pupw.sys
    • %System%\drivers\Ustqilnr.sys
    • %System%\hap.dll
    • %System%\uninstall.exe
    • %System%\webad.dll
    • %System%\win.htm
    • %System%\winhtp.dll
    • %System%\hap.log
    • %System%\distributer.txt
    • %System%\history.ini
    • %System%\win.htm
    • %Windir%\hbsetup.log
    • %Desktop%\Henbang Secretary.lnk
    • %Startup%\Henbang Secretary.lnk
    • %StartMenu%\Programs\Henbang Secretary\Henbang Secretary.lnk
    • %StartMenu%\Programs\Henbang Secretary\Readme.lnk
    • C:\Documents and Settings\Administrator\Local Settings\Temp\hdp\adoc.txt

      Note:
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %Desktop% is a variable that refers to the Windows Desktop folder. By default, this is C:\Documents and Settings\Administrator\Desktop (Windows 95/98/Me) or C:\Documents and Settings\Administrator\Desktop (Windows NT/2000/XP).
    • %Startup% is a variable that refers to the Startup folder. By default this is C:\Windows\Start Menu\Programs\StartUp (Windows 95/98/Me), C:\Documents and Settings\[USER NAME]\Start Menu\Programs\Startup (Windows NT/2000/XP).
    • %StartMenu% is a variable that refers to the location of the Start Menu folder. By default, this is C:\Windows\Start Menu (Windows 95/98/Me) or C:\Documents and Settings\[USER NAME]\Start Menu (Windows Windows NT/2000/XP).

  2. Creates the following legitimate files if they do not already exist:

    • %Windir%\UNWISE.EXE
    • %Windir%\UNWISE.INI

  3. Creates some of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
    {2D6F6BFF-1796-4779-9BA3-5F20F17E5CEA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\
    {71246576-0183-4C11-AF74-D377EC2209C4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\
    {AE9C1B10-C380-4363-8620-7C6311169BAA}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XPWindow.XWindow
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XPWindow.XWindow.1
    HKEY_CLASSES_ROOT\CLSID\{3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92}
    HKEY_CLASSES_ROOT\CLSID\{616D4040-5712-4F0F-BCF1-5C6420A99E14}
    HKEY_CLASSES_ROOT\Interface\{1363F829-37F1-4763-9FBA-E8BB564D95EE}
    HKEY_CLASSES_ROOT\Interface\{EF991B92-4308-454C-94BB-E0322A511BAB}
    HKEY_CLASSES_ROOT\TypeLib\{315A06D6-FCA7-45EA-B77D-EE7B90041224}
    HKEY_CLASSES_ROOT\TypeLib\{B58A1EFB-3DEE-4493-93B9-4DE3F99C8AEE}
    HKEY_CLASSES_ROOT\DownloadStart.DownloadValue
    HKEY_CLASSES_ROOT\DownloadStart.DownloadValue.1
    HKEY_CLASSES_ROOT\Monitor.URLMonitor
    HKEY_CLASSES_ROOT\Monitor.URLMonitor.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{616D4040-5712-4F0F-BCF1-5C6420A99E14}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext
    \Stats\{616D4040-5712-4F0F-BCF1-5C6420A99E14}
    HKEY_LOCAL_MACHINE\SOFTWARE\hap
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HAP
    HKEY_CLASSES_ROOT%\BrowserAssistant.BrowserHAP
    HKEY_CLASSES_ROOT%\BrowserAssistant.BrowserHAP.1
    HKEY_CLASSES_ROOT%\CLSID\{AEF6F648-78D8-4456-BEE7-5ADE23D209FD}
    HKEY_CLASSES_ROOT%\Interface\{CF1C62E9-AC73-4647-A99C-D2213FFDA728}
    HKEY_CLASSES_ROOT%\TypeLib\{25E5E3D6-0C5C-44BD-A4BE-7A1C1285D1BB}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    \{AEF6F648-78D8-4456-BEE7-5ADE23D209FD}


  4. Adds the value:

    "helperdll" = "Rundll32 %System%\drivers\Pupw.sys,Rundll32"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

    so that the risk runs every time Windows starts.

  5. Adds the value:

    "Enable Browser Extensions" = "yes"

    to the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

  6. Creates the following folders

    • %UserProfile%\Start Menu\Program\Programs\Henbang Secretary
    • %UserProfile%\Local Settings\Temp\hdp
    • %ProgramFiles%\HDP\

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  7. Creates the following files:

    • %ProgramFiles%\HDP\Henbang\HBlibrary.dll
    • %ProgramFiles%\HDP\Henbang\henbang.exe
    • %ProgramFiles%\HDP\Henbang\XPWindow.dll
    • %ProgramFiles%\HDP\Henbang\default.hta
    • %ProgramFiles%\HDP\Henbang\Images\0_delete.gif
    • %ProgramFiles%\HDP\Henbang\Images\0_edit.gif
    • %ProgramFiles%\HDP\Henbang\Images\adorn.gif
    • %ProgramFiles%\HDP\Henbang\Images\arrow.gif
    • %ProgramFiles%\HDP\Henbang\Images\arrow_up.gif
    • %ProgramFiles%\HDP\Henbang\Images\bgtlbar.gif
    • %ProgramFiles%\HDP\Henbang\Images\close_hover.gif
    • %ProgramFiles%\HDP\Henbang\Images\close_normal.gif
    • %ProgramFiles%\HDP\Henbang\Images\dropdown.gif
    • %ProgramFiles%\HDP\Henbang\Images\expand.gif
    • %ProgramFiles%\HDP\Henbang\Images\Henbang.gif
    • %ProgramFiles%\HDP\Henbang\Images\henbang.ico
    • %ProgramFiles%\HDP\Henbang\Images\icon_close.gif
    • %ProgramFiles%\HDP\Henbang\Images\INSTALL.LOG
    • %ProgramFiles%\HDP\Henbang\Images\item.gif
    • %ProgramFiles%\HDP\Henbang\Images\links.gif
    • %ProgramFiles%\HDP\Henbang\Images\localTool.gif
    • %ProgramFiles%\HDP\Henbang\Images\logo.jpg
    • %ProgramFiles%\HDP\Henbang\Images\manager.gif
    • %ProgramFiles%\HDP\Henbang\Images\MenuItems\menu_category.gif
    • %ProgramFiles%\HDP\Henbang\Images\MenuItems\menu_home.gif
    • %ProgramFiles%\HDP\Henbang\Images\minus.gif
    • %ProgramFiles%\HDP\Henbang\Images\NavBar\Game.gif
    • %ProgramFiles%\HDP\Henbang\Images\NavBar\Henbang.gif
    • %ProgramFiles%\HDP\Henbang\Images\NavBar\Leisure.gif
    • %ProgramFiles%\HDP\Henbang\Images\NavBar\Page.gif
    • %ProgramFiles%\HDP\Henbang\Images\NavBar\Sys.gif
    • %ProgramFiles%\HDP\Henbang\Images\nav_hover.gif
    • %ProgramFiles%\HDP\Henbang\Images\nav_normal.gif
    • %ProgramFiles%\HDP\Henbang\Images\nav_select.gif
    • %ProgramFiles%\HDP\Henbang\Images\open_hover.gif
    • %ProgramFiles%\HDP\Henbang\Images\open_normal.gif
    • %ProgramFiles%\HDP\Henbang\Images\Page.gif
    • %ProgramFiles%\HDP\Henbang\Images\passport.gif
    • %ProgramFiles%\HDP\Henbang\Images\password.gif
    • %ProgramFiles%\HDP\Henbang\Images\plus.gif
    • %ProgramFiles%\HDP\Henbang\Images\search.gif
    • %ProgramFiles%\HDP\Henbang\Images\tab_hover.gif
    • %ProgramFiles%\HDP\Henbang\Images\tab_normal.gif
    • %ProgramFiles%\HDP\Henbang\Images\tbtitle.gif
    • %ProgramFiles%\HDP\Henbang\Images\title_bg.gif
    • %ProgramFiles%\HDP\Henbang\Images\top_bg.gif
    • %ProgramFiles%\HDP\Henbang\Images\UNWISE.EXE
    • %ProgramFiles%\HDP\Henbang\Images\UNWISE.INI
    • %ProgramFiles%\HDP\Henbang\myCategory.htm
    • %ProgramFiles%\HDP\Henbang\myFreeArea.htm
    • %ProgramFiles%\HDP\Henbang\myHomePage.htm
    • %ProgramFiles%\HDP\Henbang\mySites.htm
    • %ProgramFiles%\HDP\Henbang\myTools.htm
    • %ProgramFiles%\HDP\Henbang\readme.txt
    • %ProgramFiles%\HDP\Henbang\Scripts\footer.js
    • %ProgramFiles%\HDP\Henbang\Scripts\header.js
    • %ProgramFiles%\HDP\Henbang\slChannel.htm
    • %ProgramFiles%\HDP\Henbang\slChannelLink.htm
    • %ProgramFiles%\HDP\Henbang\slSubChannel.htm
    • %ProgramFiles%\HDP\Henbang\stChannels.htm
    • %ProgramFiles%\HDP\Henbang\stMyChannel.htm
    • %ProgramFiles%\HDP\Henbang\stMyFreeArea.htm
    • %ProgramFiles%\HDP\Henbang\stMyHomePage.htm
    • %ProgramFiles%\HDP\Henbang\stMySites.htm
    • %ProgramFiles%\HDP\Henbang\stMyTools.htm
    • %ProgramFiles%\HDP\Henbang\stPassport.htm
    • %ProgramFiles%\HDP\Henbang\stSearchEngines.htm
    • %ProgramFiles%\HDP\Henbang\style.css
    • %ProgramFiles%\HDP\Henbang\Uninstall.exe
    • %ProgramFiles%\HDP\Henbang\xpstyle\bottom.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\Buttons.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\Checkbox.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\close.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\left.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\max.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\min.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\Radio.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\restore.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\right.bmp
    • %ProgramFiles%\HDP\Henbang\xpstyle\theme.ini
    • %ProgramFiles%\HDP\Henbang\xpstyle\top.bmp
    • %ProgramFiles%\HDP\Henbang\_data\ads.htm
    • %ProgramFiles%\HDP\Henbang\_data\Channel.xml
    • %ProgramFiles%\HDP\Henbang\_data\Channel_0.xml
    • %ProgramFiles%\HDP\Henbang\_data\Channel_Common.xml
    • %ProgramFiles%\HDP\Henbang\_data\channel_default.xml
    • %ProgramFiles%\HDP\Henbang\_data\config.xml
    • %ProgramFiles%\HDP\Henbang\_data\FreeInfo.xml
    • %ProgramFiles%\HDP\Henbang\_data\HotWords.xml
    • %ProgramFiles%\HDP\Henbang\_data\HotWords.xsl
    • %ProgramFiles%\HDP\Henbang\_data\MySites.xml
    • %ProgramFiles%\HDP\Henbang\_data\MyTools.xml
    • %ProgramFiles%\HDP\Henbang\_data\Passports.xml
    • %ProgramFiles%\HDP\Henbang\_data\SearchEngines.xml
    • %ProgramFiles%\HDP\Henbang\_data\UrlLib.xml
    • %ProgramFiles%\HDP\Henbang\_data\UrlList02.xsl

  8. Attempts to access a Web site on the henbang.net domain.

  9. Displays pop-up advertisements on the compromised computer.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver