1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Misleading Application Blowsearch Activity

System Infected: Misleading Application Blowsearch Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detect Adware.Blowsearch communicating and requesting information from its controlling server.

Additional Information

When Adware.Hotbar is installed, it does the following:

1. Creates the following files:

* %Program Files%\Blowsearch\ INSTALL.LOG
* %Program Files%\Blowsearch\ tbinstall.log
* %Program Files%\Blowsearch\ubinst.exe
* %Program Files%\Blowsearch\ ultrabar.dll
* %Program Files%\Blowsearch\ UNWISE.EXE
* C:\Documents and Settings\All Users\Application Data\Infospace

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry entries:

HKEY_CLASSES_ROOT\CLSID\{6F8ADBE2-8C92-4362-B0E6-7321AA49EE46}
HKEY_CLASSES_ROOT\TypeLib\{508D52D8-117D-405A-BF53-818278D8E4A8}
HKEY_CLASSES_ROOT\Interface\{818E8BAA-BBA9-4343-AF32-C7F51582D6B5}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\
Browser Helper Objects\{{6F8ADBE2-8C92-4362-B0E6-7321AA49EE46}
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\
{6F8ADBE2-8C92-4362-B0E6-7321AA49EE46}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Uninstall\BlowsearchToolbar
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\
Explorer Bars\{6F8ADBE2-8C92-4362-B0E6-7321AA49EE46}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\
Toolbar\WebBrowser\{6F8ADBE2-8C92-4362-B0E6-7321AA49EE46}
HKEY_CURRENT_USER\Software\Infospace
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\
MUICache\[Path where executable is stored]

3. Launches Internet Explorer and tries to contact www.blowsearch.com.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Unregister the ultrabar.dll file.
4. Run a full system scan and delete all the files detected as Adware.Blowsearch.
5. Delete the value that was added to the registry.
6. Delete any related files.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube