1. /
  2. Security Response/
  3. Spyware.SafeSurfing

Spyware.SafeSurfing

Updated:
February 13, 2007 11:43:51 AM
Type:
Spyware
Risk Impact:
High
File Names:
netsync.exe rsyncmon.dll installerv3.exe regsync.exe vbrundll.dll commcos2.dll lanbrup.exe
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When the installer for Spyware.SafeSurfing is run, it does the following:

  1. Downloads and creates some of the following files from the [http://]www.pops-stop.com/[REMOVED] domain.

    Note: The files downloaded depend on the version of Spyware.SafeSurfing installed.

    • %Windir%\asbltzun.exe
    • %Windir%\netsync.exe
    • %Windir%\rsyncmon.dll
    • %Windir%\ISSM0064.DAT
    • %System%\COMMCOS2.DLL
    • %System%\InstallerV3.exe
    • %System%\regsync.exe
    • %System%\richedtr.dll
    • %System%\richup.exe
    • %System%\redtrsha.dll
    • %System%\vbrundll.dll
    • %System%\VBUninstall.exe
    • %System%\wirelanb.dll
    • %System%\lanbrup.exe
    • %System%\lanbruns.exe
    • %System%\[RANDOM CHARACTERS].dll
    • %Temp%\labpengs.tmp
    • %Temp%\ExtractDLL.dll

      Note:

    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

  2. Copies the following file, if it is not already present:

    %System%\msxml3a.dll

    Note: This is a legitimate copy of Microsoft XML Parser, a resource dll which allows MSXML to run on multiple platforms.

  3. Creates some of the following registry subkeys:


    HKEY_CLASSES_ROOT\CLSID\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
    HKEY_CLASSES_ROOT\CLSID\{197B8CA4-E215-46DD-8F33-E0544A80E5C4}
    HKEY_CLASSES_ROOT\
    CLSID\{71D1708F-973D-4600-AF01-AD86688403AE}
    HKEY_CLASSES_ROOT\CLSID\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}
    HKEY_CLASSES_ROOT\Interface\{0A0CB91F-304B-44AD-9460-9C55465163A4}

    HKEY_CLASSES_ROOT\
    Interface\{2AB7A3C6-9D09-428C-AA65-07BD49FB7065}
    HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}
    HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}
    HKEY_CLASSES_ROOT\Interface\{57CB9B97-9FF9-4C87-88A4-56A867FFC95E}
    HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}
    HKEY_CLASSES_ROOT\Interface\{F1AD96E6-E575-44D9-9BBF-F3FDCF06C454}
    HKEY_CLASSES_ROOT\TypeLib\{00DC9FF2-EA77-49C7-8DEF-722FD81CAB59}
    HKEY_CLASSES_ROOT\TypeLib\{227D1E33-EAD4-4ACE-BE32-4ACFAAD072DD}
    HKEY_CLASSES_ROOT\TypeLib\{33ADD70F-53AB-4F97-B4B6-997881820F6D}
    HKEY_CLASSES_ROOT\
    TypeLib\{34A35BBB-8C19-4482-864C-290BD8DD6A5D}
    HKEY_CLASSES_ROOT\Var3.RsyncHlpr.1
    HKEY_CLASSES_ROOT\VBRun.VBRunDLL
    HKEY_CLASSES_ROOT\VBRun.VBRunDLL.1
    HKEY_CLASSES_ROOT\LowSol.RichEditor
    HKEY_CLASSES_ROOT\LowSol.RichEditor.1
    HKEY_CLASSES_ROOT\
    Pool.LANBridge
    HKEY_CLASSES_ROOT\
    Pool.LANBridge.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Netsync
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\RsyncMon
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\regsync
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vbrundll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\richedtr
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\richup
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrup
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{197B8CA4-E215-46DD-8F33-E0544A80E5C4}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}
    HKEY_LOCAL_MACHINE\SOFTWARE\RSyncMon
    HKEY_LOCAL_MACHINE\SOFTWARE\VBRun
    HKEY_LOCAL_MACHINE\SOFTWARE\Lanbridge
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RSyncMon
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VBRunDLL
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RichEditor
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LANBridge
    HKEY_LOCAL_MACHINE\SOFTWARE\SafeSurfing
    HKEY_LOCAL_MACHINE\SOFTWARE\RichEd


  4. Adds one of the values:

    "RSync" = "%Windir%\netsync.exe"
    "regsync" = "%System%\regsync.exe"
    "richup" =
    "%System%\richup.exe"
    "
    lanbrup" = "%System%\lanbrup.exe"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the Spyware runs when you start Windows.

  5. Adds one of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy
    \StandardProfile\AuthorizedApplications\List\netsync.exe

    HKEY_LOCAL_M
    ACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy
    \StandardProfile\AuthorizedApplications\List\regsync.exe

    HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\FirewallPolicy
    \StandardProfile\AuthorizedApplications\List\lanbrup.exe


    so that the Spyware bypasses the Windows Firewall.

  6. Sends computer information and data on browsing habits to [http://]www.pops-stop.com/[REMOVED]


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver