1. /
  2. Security Response/
  3. Adware.Zwunzi

Adware.Zwunzi

Updated:
December 3, 2009 12:59:34 AM
Type:
Adware
Name:
Zwunzi
Version:
1.0 build 128
Publisher:
zwunzi.com
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
This program must be manually installed.

When the program is executed, it creates the following folders:

  • %ProgramFiles%\Zwunzi
  • C:\Documents and Settings\All Users\Application Data\Zwunzi


It drops the following files:

  • %ProgramFiles%\Zwunzi\uninstall.exe
  • %ProgramFiles%\Zwunzi\zwunzi.dll
  • %ProgramFiles%\Zwunzi\zwunzi.exe
  • C:\Documents and Settings\All Users\Application Data\Zwunzi\zwunzi128.exe


Then, the program creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zwunzi\"DisplayName" = "Zwunzi 1.0 build 128"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zwunzi\"UninstallString" = "%ProgramFiles%\Zwunzi\uninstall.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Cid" = "466705c1534b4aee8c896579946b055f"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"DllPath = "%ProgramFiles%\Zwunzi\zwunzi.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Initial" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Partner" = "ZWUNZI128"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Primary" = "f403"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"ShowBarSign" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"ShowToolbarButton" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Src" = "zwunzi"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Zwunzi\"Version" = "1001c"


The program creates a new service with the following characteristics:
Service Name: Zwunzi Service
Display Name: Zwunzi Service
Startup Type: Automatic

It registers the service by creating the following registry subkeys:

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZWUNZI_SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZWUNZI_SERVICE\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZWUNZI_SERVICE\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zwunzi Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zwunzi Service\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Zwunzi Service\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZWUNZI_SERVICE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZWUNZI_SERVICE\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZWUNZI_SERVICE\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Zwunzi Service
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Zwunzi Service\Enum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Zwunzi Service\Security


The program is installed as a Browser Search Plugin for Internet Explorer and Mozilla Firefox and redirects user searches to the following location:
zwunzi.com
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver