1. /
  2. Security Response/
  3. Adware.ZangoSearch

Adware.ZangoSearch

Updated:
February 13, 2007 11:43:42 AM
Type:
Adware
Version:
6.8.196.0/6.9.95.0
Publisher:
180solutions inc
Risk Impact:
Low
File Names:
InstallerShell.exe JadeShadowInstall.exe JadeShadowSetup.exe ZangoInstaller.exe ZangoJadeShado
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.ZangoSearch is executed, it performs the following actions:
  1. Creates some of the following files:

    • %ProgramFiles%\ZangoClient\zanu.exe
    • %ProgramFiles%\ZangoClient\zanuau.dat
    • %ProgramFiles%\ZangoClient\zanu_gdf.dat
    • %ProgramFiles%\ZangoClient\zanu_kyf.dat
    • %ProgramFiles%\Zango Applications\Zango TV Times\CryptoAPI.dll
    • %ProgramFiles%\Zango Applications\Zango TV Times\Display
    • %ProgramFiles%\Zango Applications\Zango TV Times\INSTALL.LOG
    • %ProgramFiles%\Zango Applications\Zango TV Times\Loading
    • %ProgramFiles%\Zango Applications\Zango TV Times\log.txt
    • %ProgramFiles%\Zango Applications\Zango TV Times\TvSkin.dll
    • %ProgramFiles%\Zango Applications\Zango TV Times\TVTimesInstall.exe
    • %ProgramFiles%\Zango Applications\Zango TV Times\TVTimesInstaller.exe
    • %ProgramFiles%\Zango Applications\Zango TV Times\UNWISE.EXE
    • %ProgramFiles%\Zango Applications\Zango TV Times\Version
    • %ProgramFiles%\Zango Applications\Zango TV Times\Welcome
    • %ProgramFiles%\Zango Applications\Zango TV Times\ZangoInstaller.exe
    • %ProgramFiles%\Zango Applications\Zango TV Times\ZangoTVTimes.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\INSTALL.LOG
    • %ProgramFiles%\Zango Games\Jade Shadow\jade.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\jade.ico
    • %ProgramFiles%\Zango Games\Jade Shadow\jade0.apk
    • %ProgramFiles%\Zango Games\Jade Shadow\JadeShadowInstall.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\JadeShadowInstaller.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\JadeShadowSetup.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\JSReadME.htm
    • %ProgramFiles%\Zango Games\Jade Shadow\UNWISE.EXE
    • %ProgramFiles%\Zango Games\Jade Shadow\ZangoInstaller.exe
    • %UserProfile%\Start Menu\Programs\Zango\Uninstall Zango.lnk
    • %UserProfile%\Start Menu\Programs\Zango\Zango.com.url
    • %UserProfile%\Start Menu\Programs\Zango Games\Jade Shadow\Jade Shadow Readme.lnk
    • %UserProfile%\Start Menu\Programs\Zango Games\Jade Shadow\Jade Shadow.lnk
    • %UserProfile%\Application Data\Zango TvTimes\My Preference\Startup.xml
    • %UserProfile%\Application Data\Zango TvTimes\My Preference\TVTimesNotify.xml
    • %UserProfile%\Application Data\Zango TvTimes\My Preference\TVTimesPreference
    • %UserProfile%\Application Data\Zango TvTimes\Others\Default
    • %UserProfile%\Application Data\Zango TvTimes\Others\ErrorXml
    • %UserProfile%\Application Data\Zango TvTimes\Others\ErrorXmlBackUp
    • %UserProfile%\Application Data\Zango TvTimes\Others\General
    • %UserProfile%\Desktop\Jade Shadow.lnk
    • %UserProfile%\Desktop\ZangoTVTimes.lnk
    • %ProgramFiles%\Zango\Uninstall Zango Instructions.lnk
    • %ProgramFiles%\Zango\Zango.com.url
    • %ProgramFiles%\Zango Applications\Zango TV Times\ZangoTVTimes.lnk


      Notes:
    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Adds the values:

    "zanu" = "%ProgramFiles%\ZangoClient\zanu.exe"
    "Zango TvTimes" = "C:\PROGRA~1\ZANGOA~1\ZANGOT~1\ZANGOT~1.EXE" :auto"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  3. Creates the following the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}

    so that the security risk runs when Internet Explorer starts.

  4. Creates the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    \{E5B57AB3-15F8-43A2-ABAC-3E58A9C25818}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\Jade Shadow
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\Zango TV Times
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Uninstall\zanu
    HKEY_LOCAL_MACHINE\SOFTWARE\zanu
    HKEY_CURRENT_USER\Software\zanu

  5. Modifies the value:

    "LoginSessionDisable" = "1"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control

    to prevent the computer from automatically establishing Dial-up connection when the security risk tries to access the Internet.

  6. Monitors the contents of Internet Explorer windows. When certain keywords are detected in Internet search or shopping browser windows, the security risk displays the Web page of a partner site.

  7. Monitors the state of the security risk and can repair it if it is partially removed.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver