1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Egyrank Activity

HTTP Egyrank Activity

Severity: Medium

This attack could pose a moderate security threat. It does not require immediate action.

Description

This signature detects Adware.Egyrank communicating and requesting information from its controlling server.

Additional Information

When Adware.Egyrank is installed, it performs the following actions:

1. Creates the following files:

* %ProgramFiles%\EgyRank\basis.xml
* %ProgramFiles%\EgyRank\Egyrank.dll
* %ProgramFiles%\EgyRank\icons.bmp
* %ProgramFiles%\EgyRank\Egyrank.inf
* %ProgramFiles%\EgyRank\version.txt
* %ProgramFiles%\EgyRank\newversion.txt
* %ProgramFiles%\EgyRank\menu_customization.html

Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{06EECACB-F7C6-4ab9-B6AE-2DC4ED4588BB}
HKEY_CLASSES_ROOT\CLSID\{CAE916D2-880A-4198-BB83-9E9DBD9615DC}
HKEY_CLASSES_ROOT\Interface\{3FBB839A-017B-465B-82E6-15D9B8F6E936}
HKEY_CLASSES_ROOT\Interface\{4C5CC6AE-70B0-4EC3-BAD5-BA0708F4432C}
HKEY_CLASSES_ROOT\TypeLib\{088930B5-5537-4AE6-B484-98AAB895FC63}
HKEY_CLASSES_ROOT\ToolBand.XBTB02205
HKEY_CLASSES_ROOT\ToolBand.XBTB02205.1
HKEY_CLASSES_ROOT\XBTB02205.IEToolbar
HKEY_CLASSES_ROOT\XBTB02205.IEToolbar.1
HKEY_CLASSES_ROOT\XBTB02205.XBTB02205
HKEY_CLASSES_ROOT\XBTB02205.XBTB02205.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06EECACB-F7C6-4ab9-B6AE-2DC4ED4588BB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB02205.XBTB02205Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Ext\Stats\{06EECACB-F7C6-4AB9-B6AE-2DC4ED4588BB}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Ext\Stats\{CAE916D2-880A-4198-BB83-9E9DBD9615DC}
HKEY_CURRENT_USER\Software\XBTB02205

3. Modifies the value:

"iexplore.exe" = "0"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN

so that elements such as ActiveX controls and JavaScript can run locally on the compromised computer.

4. Adds the value:

"{CAE916D2-880A-4198-BB83-9E9DBD9615DC}"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

5. Deletes the value:

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"

from the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

6. Adds the value:

"Mister X" = ""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

7. Modifies the value:

"Start Page" = "[http://]egyrank.com/addsite/homepage.php[REMOVED]"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

in order to change the Internet Explorer start page.

Note: This page corresponding to the value of this registry entry is in fact redirected to a different Web site each time the page is visited.

8. Modifies the value:

"SearchAssistant: = "[http://]egyrank.com/[REMOVED]/sidesearch.php"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search

9. Displays a toolbar in the Internet Explorer window.

Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Update the definitions.
2. Run a full system scan.
3. Delete any values added to the registry.
4. Reset the Internet Explorer home page.
5. Reset the Internet Explorer search page.

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube