1. /
  2. Security Response/
  3. Adware.Borlan

Adware.Borlan

Updated:
March 30, 2009 3:59:10 PM
Type:
Adware
Risk Impact:
Low
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the program is executed, it creates the following files:
  • %ProgramFiles%\MMSAssist\mms.ini
  • %ProgramFiles%\MMSAssist\MMSASS~1.DLL
  • %System%\stdup.dll
  • %System%\std.ini
  • %System%\stdd.ini
  • %System%\stdcache\[RANDOM FILE NAMES]
  • %Temp%\mq\[RANDOM FILE NAMES]


Next, the program creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{6671A433-5C3D-463d-A7CF-5587F9B7E191}" = "0x00002002"

It then modifies the following registry entries to change settings for Internet Explorer:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.k265.com/[REMOVED]"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL" = "http://www.k265.com/[REMOVED]"


The program then creates the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6671A431-5C3D-463d-A7CF-5587F9B7E191}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{74289A79-E652-4A57-A6B9-EE64AD532A8D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB45CE36-C280-4525-BCF9-1BD01D3E4B57}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{077525AC-C681-4139-8C3E-B582BDD375C7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{22F87D75-7DD1-4545-94B3-CA80C0F462C6}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad.AxObj
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Ad.AxObj.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\InsII.brins
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssist.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MMSBho.MMSAssistMenu.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FBDF84372483F7693F63FF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6671A433-5C3D-463d-A7CF-5587F9B7E191}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6671A431-5C3D-463d-A7CF-5587F9B7E191}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A512BF7-EC78-4e8d-9841-6C02E8FA9838}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MMSAssist
  • HKEY_LOCAL_MACHINE\SOFTWARE\MMSAssist
  • HKEY_LOCAL_MACHINE\SOFTWARE\Stdup
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6A512BF7-EC78-4E8D-9841-6C02E8FA9838}
  • HKEY_CURRENT_USER\Software\RFO
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StdService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\StdService


It also creates the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\[CHINESE CHARACTERS]

Note: This subkey is encoded using GB2312 (Guojia Biaozhun) encoding, which is the official character set of the Peoples Republic of China. If you do not have the appropriate language pack installed, the subkey will be displayed as garbled characters.

Next, it creates a service with the following characteristics:
ImagePath: C:\WINDOWS\system32\rundll32.exe [PATH TO DLL FILE]
DisplayName: StdService

The program acts as an Internet Explorer Browser Helper Object, which displays Chinese based advertisements while users browse the Internet.

It also contacts the following URL:
borlander.cn
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver