||||
Symantec.com > Security Response > Threats and Risks > Adware.MaxSearch
PRINT THIS PAGE

Adware.MaxSearch

Printer Friendly Page

Updated: February 13, 2007 11:44:51 AM
Type: Adware
Risk Impact: Medium
File Names: maxifiles.dll
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP


When Adware.MaxSearch is executed, it performs the following actions:
  1. Creates the following files:

    • %ProgramFiles%\Maxifiles\basis.xml
    • %ProgramFiles%\Maxifiles\maxifiles.dll
    • %ProgramFiles%\Maxifiles\nav.bmp
    • %ProgramFiles%\Maxifiles\toolbar.crc
    • %ProgramFiles%\Maxifiles\version.txt
    • %ProgramFiles%\Maxifiles\Cache\*.xml

      Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
    HKEY_CLASSES_ROOT\CLSID\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}
    HKEY_CLASSES_ROOT\Interface\{0D5CC8AE-0BB0-49C3-BA33-BA4508EA43CC}
    HKEY_CLASSES_ROOT\Interface\{EABBB49A-4D7B-415B-8250-15C3B854E9FF}
    HKEY_CLASSES_ROOT\TypeLib\{3261A9A1-91F5-4A20-BEC7-3F8373C72C1F}
    HKEY_CLASSES_ROOT\TypeLib\{FFBE337D-CB05-4FF0-B9FA-3C2FCC2F54FB}
    HKEY_CLASSES_ROOT\ToolBand.XBTB07618
    HKEY_CLASSES_ROOT\ToolBand.XBTB07618.1
    HKEY_CLASSES_ROOT\XBTB07618.IEToolbar
    HKEY_CLASSES_ROOT\XBTB07618.IEToolbar.1
    HKEY_CLASSES_ROOT\XBTB07618.XBTB07618
    HKEY_CLASSES_ROOT\XBTB07618.XBTB07618.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB07618.XBTB07618Toolbar
    HKEY_CURRENT_USER\Software\XBTB07618
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\MaxiFiles
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\MaxiFilesTB
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{75E46EE7-404B-48EC-9326-C654F21F65BF}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolBand.XBTB04715
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ToolBand.XBTB04715.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB04715.IEToolbar
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB04715.IEToolbar.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB04715.XBTB04715
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XBTB04715.XBTB04715.1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB04715.XBTB04715Toolbar
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
    \{A8B0BDED-64A5-495B-97DA-42C0301E229B}\iexplore
    HKEY_ALL_USERS\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
    \{C4069E3A-68F1-403E-B40E-20066696354B}
    HKEY_ALL_USERS\Software\XBTB04715

    Note: The CLSID {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} may be used by legitimate toolbars created with the Internet Explorer toolbar package.
  3. Attempts to download an updated version of itself from a predetermined Web site. Updated versions are stored in folders with the following naming convention:

    %ProgamFiles%\Maxifiles\tbu[VERSION NUMBER]

    Note: [VERSION NUMBER] denotes the latest version number of the downloaded update.

  4. Deletes the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}
  5. Modifies the value:

    "iexplore.exe" = "0"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
    \FEATURE_LOCALMACHINE_LOCKDOWN

    so that content such as ActiveX controls and JavaScript can run locally on the compromised computer.

  6. Modifies the value:

    "SearchAssistant" = "[http://]www.maxifiles.com/toolbar/[REMOVED]/sidebar.php?tid=%toolbar_id&aid=%AffiliateID"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

    to reset the search page in Internet Explorer.

    Note: This value is reset by the risk every time Internet Explorer is shutdown.

  7. Modifies the value:

    "Start Page" = "[http://]www.maxifiles.com/[REMOVED]/"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

    to reset the home page in Internet Explorer.

  8. Displays the following toolbar when Internet Explorer is launched:




Search by name
Example: W32.Beagle.AG@mm
Windows 7
Windows Vista Security
©1995 - 2009 Symantec Corporation
Site Map|
Legal Notices|
Privacy Policy|
|
Contact Us|
Global Sites|
License Agreements|
RSS