Adware.Henbang

Printer Friendly Page

Updated: February 13, 2007 11:41:59 AM

Type: Adware

Version: 1.0

Risk Impact: Medium

File Names: A0066055.exe hap.dll webad.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Henbang is executed, it performs the following actions:

Creates some of the following files:
- %System%\popcounts.ini.
- %System%\history.ini
- %System%\hdp.ini
- %System%\proc.ini
- %System%\hda.ini
- %System%\unregister.ini
- %System%\drivers\Khdap.sys
- %System%\drivers\Madbp.sys
- %System%\drivers\Pupw.sys
- %System%\drivers\Ustqilnr.sys
- %System%\hap.dll
- %System%\uninstall.exe
- %System%\webad.dll
- %System%\win.htm
- %System%\winhtp.dll
- %System%\hap.log
- %System%\distributer.txt
- %System%\history.ini
- %System%\win.htm
- %Windir%\hbsetup.log
- %Desktop%\Henbang Secretary.lnk
- %Startup%\Henbang Secretary.lnk
- %StartMenu%\Programs\Henbang Secretary\Henbang Secretary.lnk
- %StartMenu%\Programs\Henbang Secretary\Readme.lnk
- C:\Documents and Settings\Administrator\Local Settings\Temp\hdp\adoc.txt
  
  Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %Desktop% is a variable that refers to the Windows Desktop folder. By default, this is C:\Documents and Settings\Administrator\Desktop (Windows 95/98/Me) or C:\Documents and Settings\Administrator\Desktop (Windows NT/2000/XP).
- %Startup% is a variable that refers to the Startup folder. By default this is C:\Windows\Start Menu\Programs\StartUp (Windows 95/98/Me), C:\Documents and Settings\[USER NAME]\Start Menu\Programs\Startup (Windows NT/2000/XP).
- %StartMenu% is a variable that refers to the location of the Start Menu folder. By default, this is C:\Windows\Start Menu (Windows 95/98/Me) or C:\Documents and Settings\[USER NAME]\Start Menu (Windows Windows NT/2000/XP).
Creates the following legitimate files if they do not already exist:
- %Windir%\UNWISE.EXE
- %Windir%\UNWISE.INI
Creates some of the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ {2D6F6BFF-1796-4779-9BA3-5F20F17E5CEA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\ {71246576-0183-4C11-AF74-D377EC2209C4} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\ {AE9C1B10-C380-4363-8620-7C6311169BAA} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XPWindow.XWindow HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XPWindow.XWindow.1HKEY_CLASSES_ROOT\CLSID\{3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92} HKEY_CLASSES_ROOT\CLSID\{616D4040-5712-4F0F-BCF1-5C6420A99E14} HKEY_CLASSES_ROOT\Interface\{1363F829-37F1-4763-9FBA-E8BB564D95EE} HKEY_CLASSES_ROOT\Interface\{EF991B92-4308-454C-94BB-E0322A511BAB} HKEY_CLASSES_ROOT\TypeLib\{315A06D6-FCA7-45EA-B77D-EE7B90041224} HKEY_CLASSES_ROOT\TypeLib\{B58A1EFB-3DEE-4493-93B9-4DE3F99C8AEE} HKEY_CLASSES_ROOT\DownloadStart.DownloadValue HKEY_CLASSES_ROOT\DownloadStart.DownloadValue.1 HKEY_CLASSES_ROOT\Monitor.URLMonitor HKEY_CLASSES_ROOT\Monitor.URLMonitor.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Explorer\Browser Helper Objects\{616D4040-5712-4F0F-BCF1-5C6420A99E14} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{3ED9FFDA-79DB-4B2D-99B7-16EA3C4A3A92} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{616D4040-5712-4F0F-BCF1-5C6420A99E14} HKEY_LOCAL_MACHINE\SOFTWARE\hap HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HAPHKEY_CLASSES_ROOT%\BrowserAssistant.BrowserHAP HKEY_CLASSES_ROOT%\BrowserAssistant.BrowserHAP.1 HKEY_CLASSES_ROOT%\CLSID\{AEF6F648-78D8-4456-BEE7-5ADE23D209FD} HKEY_CLASSES_ROOT%\Interface\{CF1C62E9-AC73-4647-A99C-D2213FFDA728} HKEY_CLASSES_ROOT%\TypeLib\{25E5E3D6-0C5C-44BD-A4BE-7A1C1285D1BB} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects \{AEF6F648-78D8-4456-BEE7-5ADE23D209FD}
Adds the value:

"helperdll" = "Rundll32 %System%\drivers\Pupw.sys,Rundll32"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

so that the risk runs every time Windows starts.
Adds the value:

"Enable Browser Extensions" = "yes"

to the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Creates the following folders
- %UserProfile%\Start Menu\Program\Programs\Henbang Secretary
- %UserProfile%\Local Settings\Temp\hdp
- %ProgramFiles%\HDP\
  
  Note:
- %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
- %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Creates the following files:
- %ProgramFiles%\HDP\Henbang\HBlibrary.dll
- %ProgramFiles%\HDP\Henbang\henbang.exe
- %ProgramFiles%\HDP\Henbang\XPWindow.dll
- %ProgramFiles%\HDP\Henbang\default.hta
- %ProgramFiles%\HDP\Henbang\Images\0_delete.gif
- %ProgramFiles%\HDP\Henbang\Images\0_edit.gif
- %ProgramFiles%\HDP\Henbang\Images\adorn.gif
- %ProgramFiles%\HDP\Henbang\Images\arrow.gif
- %ProgramFiles%\HDP\Henbang\Images\arrow_up.gif
- %ProgramFiles%\HDP\Henbang\Images\bgtlbar.gif
- %ProgramFiles%\HDP\Henbang\Images\close_hover.gif
- %ProgramFiles%\HDP\Henbang\Images\close_normal.gif
- %ProgramFiles%\HDP\Henbang\Images\dropdown.gif
- %ProgramFiles%\HDP\Henbang\Images\expand.gif
- %ProgramFiles%\HDP\Henbang\Images\Henbang.gif
- %ProgramFiles%\HDP\Henbang\Images\henbang.ico
- %ProgramFiles%\HDP\Henbang\Images\icon_close.gif
- %ProgramFiles%\HDP\Henbang\Images\INSTALL.LOG
- %ProgramFiles%\HDP\Henbang\Images\item.gif
- %ProgramFiles%\HDP\Henbang\Images\links.gif
- %ProgramFiles%\HDP\Henbang\Images\localTool.gif
- %ProgramFiles%\HDP\Henbang\Images\logo.jpg
- %ProgramFiles%\HDP\Henbang\Images\manager.gif
- %ProgramFiles%\HDP\Henbang\Images\MenuItems\menu_category.gif
- %ProgramFiles%\HDP\Henbang\Images\MenuItems\menu_home.gif
- %ProgramFiles%\HDP\Henbang\Images\minus.gif
- %ProgramFiles%\HDP\Henbang\Images\NavBar\Game.gif
- %ProgramFiles%\HDP\Henbang\Images\NavBar\Henbang.gif
- %ProgramFiles%\HDP\Henbang\Images\NavBar\Leisure.gif
- %ProgramFiles%\HDP\Henbang\Images\NavBar\Page.gif
- %ProgramFiles%\HDP\Henbang\Images\NavBar\Sys.gif
- %ProgramFiles%\HDP\Henbang\Images\nav_hover.gif
- %ProgramFiles%\HDP\Henbang\Images\nav_normal.gif
- %ProgramFiles%\HDP\Henbang\Images\nav_select.gif
- %ProgramFiles%\HDP\Henbang\Images\open_hover.gif
- %ProgramFiles%\HDP\Henbang\Images\open_normal.gif
- %ProgramFiles%\HDP\Henbang\Images\Page.gif
- %ProgramFiles%\HDP\Henbang\Images\passport.gif
- %ProgramFiles%\HDP\Henbang\Images\password.gif
- %ProgramFiles%\HDP\Henbang\Images\plus.gif
- %ProgramFiles%\HDP\Henbang\Images\search.gif
- %ProgramFiles%\HDP\Henbang\Images\tab_hover.gif
- %ProgramFiles%\HDP\Henbang\Images\tab_normal.gif
- %ProgramFiles%\HDP\Henbang\Images\tbtitle.gif
- %ProgramFiles%\HDP\Henbang\Images\title_bg.gif
- %ProgramFiles%\HDP\Henbang\Images\top_bg.gif
- %ProgramFiles%\HDP\Henbang\Images\UNWISE.EXE
- %ProgramFiles%\HDP\Henbang\Images\UNWISE.INI
- %ProgramFiles%\HDP\Henbang\myCategory.htm
- %ProgramFiles%\HDP\Henbang\myFreeArea.htm
- %ProgramFiles%\HDP\Henbang\myHomePage.htm
- %ProgramFiles%\HDP\Henbang\mySites.htm
- %ProgramFiles%\HDP\Henbang\myTools.htm
- %ProgramFiles%\HDP\Henbang\readme.txt
- %ProgramFiles%\HDP\Henbang\Scripts\footer.js
- %ProgramFiles%\HDP\Henbang\Scripts\header.js
- %ProgramFiles%\HDP\Henbang\slChannel.htm
- %ProgramFiles%\HDP\Henbang\slChannelLink.htm
- %ProgramFiles%\HDP\Henbang\slSubChannel.htm
- %ProgramFiles%\HDP\Henbang\stChannels.htm
- %ProgramFiles%\HDP\Henbang\stMyChannel.htm
- %ProgramFiles%\HDP\Henbang\stMyFreeArea.htm
- %ProgramFiles%\HDP\Henbang\stMyHomePage.htm
- %ProgramFiles%\HDP\Henbang\stMySites.htm
- %ProgramFiles%\HDP\Henbang\stMyTools.htm
- %ProgramFiles%\HDP\Henbang\stPassport.htm
- %ProgramFiles%\HDP\Henbang\stSearchEngines.htm
- %ProgramFiles%\HDP\Henbang\style.css
- %ProgramFiles%\HDP\Henbang\Uninstall.exe
- %ProgramFiles%\HDP\Henbang\xpstyle\bottom.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\Buttons.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\Checkbox.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\close.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\left.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\max.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\min.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\Radio.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\restore.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\right.bmp
- %ProgramFiles%\HDP\Henbang\xpstyle\theme.ini
- %ProgramFiles%\HDP\Henbang\xpstyle\top.bmp
- %ProgramFiles%\HDP\Henbang\_data\ads.htm
- %ProgramFiles%\HDP\Henbang\_data\Channel.xml
- %ProgramFiles%\HDP\Henbang\_data\Channel_0.xml
- %ProgramFiles%\HDP\Henbang\_data\Channel_Common.xml
- %ProgramFiles%\HDP\Henbang\_data\channel_default.xml
- %ProgramFiles%\HDP\Henbang\_data\config.xml
- %ProgramFiles%\HDP\Henbang\_data\FreeInfo.xml
- %ProgramFiles%\HDP\Henbang\_data\HotWords.xml
- %ProgramFiles%\HDP\Henbang\_data\HotWords.xsl
- %ProgramFiles%\HDP\Henbang\_data\MySites.xml
- %ProgramFiles%\HDP\Henbang\_data\MyTools.xml
- %ProgramFiles%\HDP\Henbang\_data\Passports.xml
- %ProgramFiles%\HDP\Henbang\_data\SearchEngines.xml
- %ProgramFiles%\HDP\Henbang\_data\UrlLib.xml
- %ProgramFiles%\HDP\Henbang\_data\UrlList02.xsl
Attempts to access a Web site on the henbang.net domain.
Displays pop-up advertisements on the compromised computer.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}