Updated: February 13, 2007 11:42:47 AM
Type: Adware
Version: 1.0.0.17
Publisher: www.123mania.com
Risk Impact: High
File Names: Mshtmpre.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When Adware.MatrixSearch is executed, it performs the following actions:
- Creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{D879A0F1-2B3B-4409-8879-FAD6E49E1EA9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{9C5B2F29-1F46-4639-A6B4-828942301D3E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{622CC208-B014-4FE0-801B-874A5E5E403A}
so that the adware runs every time Internet Explorer is started.
- Adds the value:
"LoadHTML" = "rundll32.exe c:\windows\system32\regsvr32.exe,MShtmpre"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the adware runs every time Windows is started.
- Creates the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{15651C7C-E812-44a2-A9AC-B467A2233E7D}
HKEY_CLASSES_ROOT\CLSID\{622CC208-B014-4FE0-801B-874A5E5E403A}
HKEY_CLASSES_ROOT\CLSID\{9C5B2F29-1F46-4639-A6B4-828942301D3E}
HKEY_CLASSES_ROOT\CLSID\{D879A0F1-2B3B-4409-8879-FAD6E49E1EA9}
HKEY_CLASSES_ROOT\Interface\{16F6A635-09F8-44E6-953E-81D037647255}
HKEY_CLASSES_ROOT\Interface\{34DCDBDB-60EF-4281-92C6-68C299AAB8E5}
HKEY_CLASSES_ROOT\Interface\{FC02833E-9FDE-4862-974F-828887716A28}
HKEY_CLASSES_ROOT\Interface\{722C6699-FDF7-4B4F-BDD0-F84CF5791A80}
HKEY_CLASSES_ROOT\TypeLib\{B8F9DD56-4FFA-47B0-B9D7-42F45A752F4E}
HKEY_CLASSES_ROOT\TypeLib\{E9A45914-275E-4866-BB75-5D65CBC3F311}
HKEY_CLASSES_ROOT\TypeLib\{5E6895EA-E919-4331-ADBE-827D4D8915AC}
HKEY_CLASSES_ROOT\AutoSearch1.BHOsrc
HKEY_CLASSES_ROOT\AutoSearch1.BHOsrc.1
HKEY_CLASSES_ROOT\AutoSearch1.SrchHook
HKEY_CLASSES_ROOT\AutoSearch1.SrchHook.1
HKEY_CLASSES_ROOT\Bho1.html
HKEY_CLASSES_ROOT\Bho1.html.1
HKEY_CLASSES_ROOT\Bho.html
HKEY_CLASSES_ROOT\Bho.html.1
- Adds the following values
"html_unresident" = "res://C:\WINDOWS\System32\SIPSPI32.dll/Desinstala.htm"
"html_stopengine" = "res://C:\WINDOWS\System32\SIPSPI32.dll/Desactiva.htm"
"html_gotowork" = "res://C:\WINDOWS\System32\SIPSPI32.dll/Activa.htm"
"html_onlyone" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p1.htm"
"html_reconfig3" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p3.htm"
"html_reconfig5" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p5.htm"
"html_reconfig9" = "res://C:\WINDOWS\System32\SIPSPI32.dll/p9.htm"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
- Adds the values:
"ppcimdnnnjbeahepfabjipfginloedkg cfcaak"
"ppcimdnnnjbeahepfabjipfginloedkg enodaj"
"goicfboogidikkejccmclpieicihhlpo ejfebp"
"goicfboogidikkejccmclpieicihhlpo imfado"
"goicfboogidikkejccmclpieicihhlpo igcdca"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust
\Trust Providers\Software Publishing\Trust Database\0
- Opens an unusually high number of Internet Explorer windows.
- Redirects non-existent Web site searches to www.123mania.com.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
