Spyware.SafeSurfing

Printer Friendly Page

Updated: February 13, 2007 11:43:51 AM

Type: Spyware

Risk Impact: High

File Names: netsync.exe rsyncmon.dll installerv3.exe regsync.exe vbrundll.dll commcos2.dll lanbrup.exe

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the installer for Spyware.SafeSurfing is run, it does the following:

Downloads and creates some of the following files from the [http://]www.pops-stop.com/[REMOVED] domain.

Note: The files downloaded depend on the version of Spyware.SafeSurfing installed.
- %Windir%\asbltzun.exe
- %Windir%\netsync.exe
- %Windir%\rsyncmon.dll
- %Windir%\ISSM0064.DAT
- %System%\COMMCOS2.DLL
- %System%\InstallerV3.exe
- %System%\regsync.exe
- %System%\richedtr.dll
- %System%\richup.exe
- %System%\redtrsha.dll
- %System%\vbrundll.dll
- %System%\VBUninstall.exe
- %System%\wirelanb.dll
- %System%\lanbrup.exe
- %System%\lanbruns.exe
- %System%\[RANDOM CHARACTERS].dll
- %Temp%\labpengs.tmp
- %Temp%\ExtractDLL.dll
  
  Note:
- %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).
Copies the following file, if it is not already present:

%System%\msxml3a.dll

Note: This is a legitimate copy of Microsoft XML Parser, a resource dll which allows MSXML to run on multiple platforms.
Creates some of the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}HKEY_CLASSES_ROOT\CLSID\{197B8CA4-E215-46DD-8F33-E0544A80E5C4} HKEY_CLASSES_ROOT\CLSID\{71D1708F-973D-4600-AF01-AD86688403AE}HKEY_CLASSES_ROOT\CLSID\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} HKEY_CLASSES_ROOT\Interface\{0A0CB91F-304B-44AD-9460-9C55465163A4}HKEY_CLASSES_ROOT\Interface\{2AB7A3C6-9D09-428C-AA65-07BD49FB7065}HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668} HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}HKEY_CLASSES_ROOT\Interface\{57CB9B97-9FF9-4C87-88A4-56A867FFC95E} HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}HKEY_CLASSES_ROOT\Interface\{F1AD96E6-E575-44D9-9BBF-F3FDCF06C454}HKEY_CLASSES_ROOT\TypeLib\{00DC9FF2-EA77-49C7-8DEF-722FD81CAB59} HKEY_CLASSES_ROOT\TypeLib\{227D1E33-EAD4-4ACE-BE32-4ACFAAD072DD}HKEY_CLASSES_ROOT\TypeLib\{33ADD70F-53AB-4F97-B4B6-997881820F6D} HKEY_CLASSES_ROOT\TypeLib\{34A35BBB-8C19-4482-864C-290BD8DD6A5D}HKEY_CLASSES_ROOT\Var3.RsyncHlpr.1HKEY_CLASSES_ROOT\VBRun.VBRunDLLHKEY_CLASSES_ROOT\VBRun.VBRunDLL.1HKEY_CLASSES_ROOT\LowSol.RichEditor HKEY_CLASSES_ROOT\LowSol.RichEditor.1 HKEY_CLASSES_ROOT\Pool.LANBridge HKEY_CLASSES_ROOT\Pool.LANBridge.1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Netsync HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RsyncMon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\regsync HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vbrundll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\richedtr HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\richupHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{197B8CA4-E215-46DD-8F33-E0544A80E5C4}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} HKEY_LOCAL_MACHINE\SOFTWARE\RSyncMon HKEY_LOCAL_MACHINE\SOFTWARE\VBRunHKEY_LOCAL_MACHINE\SOFTWARE\LanbridgeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RSyncMon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VBRunDLL HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichEditorHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LANBridgeHKEY_LOCAL_MACHINE\SOFTWARE\SafeSurfing HKEY_LOCAL_MACHINE\SOFTWARE\RichEd
Adds one of the values:

"RSync" = "%Windir%\netsync.exe""regsync" = "%System%\regsync.exe""richup" ="%System%\richup.exe""lanbrup" = "%System%\lanbrup.exe"
to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the Spyware runs when you start Windows.
Adds one of the following registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List\netsync.exeHKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List\regsync.exeHKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy \StandardProfile\AuthorizedApplications\List\lanbrup.exe

so that the Spyware bypasses the Windows Firewall.
Sends computer information and data on browsing habits to [http://]www.pops-stop.com/[REMOVED]

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}