Adware.Egyrank

Printer Friendly Page

Updated: February 13, 2007 11:47:45 AM

Type: Adware

Risk Impact: Medium

File Names: Egyrank.dll

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When Adware.Egyrank is installed, it performs the following actions:

Creates the following files:
- %ProgramFiles%\EgyRank\basis.xml
- %ProgramFiles%\EgyRank\Egyrank.dll
- %ProgramFiles%\EgyRank\icons.bmp
- %ProgramFiles%\EgyRank\Egyrank.inf
- %ProgramFiles%\EgyRank\version.txt
- %ProgramFiles%\EgyRank\newversion.txt
- %ProgramFiles%\EgyRank\menu_customization.html
  
  Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{06EECACB-F7C6-4ab9-B6AE-2DC4ED4588BB} HKEY_CLASSES_ROOT\CLSID\{CAE916D2-880A-4198-BB83-9E9DBD9615DC} HKEY_CLASSES_ROOT\Interface\{3FBB839A-017B-465B-82E6-15D9B8F6E936} HKEY_CLASSES_ROOT\Interface\{4C5CC6AE-70B0-4EC3-BAD5-BA0708F4432C} HKEY_CLASSES_ROOT\TypeLib\{088930B5-5537-4AE6-B484-98AAB895FC63} HKEY_CLASSES_ROOT\ToolBand.XBTB02205 HKEY_CLASSES_ROOT\ToolBand.XBTB02205.1 HKEY_CLASSES_ROOT\XBTB02205.IEToolbar HKEY_CLASSES_ROOT\XBTB02205.IEToolbar.1 HKEY_CLASSES_ROOT\XBTB02205.XBTB02205 HKEY_CLASSES_ROOT\XBTB02205.XBTB02205.1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06EECACB-F7C6-4ab9-B6AE-2DC4ED4588BB} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB02205.XBTB02205Toolbar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Ext\Stats\{06EECACB-F7C6-4AB9-B6AE-2DC4ED4588BB} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Ext\Stats\{CAE916D2-880A-4198-BB83-9E9DBD9615DC} HKEY_CURRENT_USER\Software\XBTB02205
Modifies the value:

"iexplore.exe" = "0"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

so that elements such as ActiveX controls and JavaScript can run locally on the compromised computer.
Adds the value:

"{CAE916D2-880A-4198-BB83-9E9DBD9615DC}"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooksHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Deletes the value:

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

from the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
Adds the value:

"Mister X" = ""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Modifies the value:

"Start Page" = "[http://]egyrank.com/addsite/homepage.php[REMOVED]"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

in order to change the Internet Explorer start page.

Note: This page corresponding to the value of this registry entry is in fact redirected to a different Web site each time the page is visited.
Modifies the value:

"SearchAssistant: = "[http://]egyrank.com/[REMOVED]/sidesearch.php"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
Displays a toolbar in the Internet Explorer window.

Removal

Summary

Search Threats

Search by name

_{Example: W32.Beagle.AG@mm}