1. Symantec/
  2. Security Response/
  3. Adware.ZangoSearch


February 13, 2007 11:43:42 AM
180solutions inc
Risk Impact:
File Names:
InstallerShell.exe JadeShadowInstall.exe JadeShadowSetup.exe ZangoInstaller.exe ZangoJadeShado
Systems Affected:

When Adware.ZangoSearch is executed, it performs the following actions:
  1. Creates some of the following files:

    • %ProgramFiles%\ZangoClient\zanu.exe
    • %ProgramFiles%\ZangoClient\zanuau.dat
    • %ProgramFiles%\ZangoClient\zanu_gdf.dat
    • %ProgramFiles%\ZangoClient\zanu_kyf.dat
    • %ProgramFiles%\Zango Applications\Zango TV Times\CryptoAPI.dll
    • %ProgramFiles%\Zango Applications\Zango TV Times\Display
    • %ProgramFiles%\Zango Applications\Zango TV Times\INSTALL.LOG
    • %ProgramFiles%\Zango Applications\Zango TV Times\Loading
    • %ProgramFiles%\Zango Applications\Zango TV Times\log.txt
    • %ProgramFiles%\Zango Applications\Zango TV Times\TvSkin.dll
    • %ProgramFiles%\Zango Applications\Zango TV Times\TVTimesInstall.exe
    • %ProgramFiles%\Zango Applications\Zango TV Times\TVTimesInstaller.exe
    • %ProgramFiles%\Zango Applications\Zango TV Times\UNWISE.EXE
    • %ProgramFiles%\Zango Applications\Zango TV Times\Version
    • %ProgramFiles%\Zango Applications\Zango TV Times\Welcome
    • %ProgramFiles%\Zango Applications\Zango TV Times\ZangoInstaller.exe
    • %ProgramFiles%\Zango Applications\Zango TV Times\ZangoTVTimes.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\INSTALL.LOG
    • %ProgramFiles%\Zango Games\Jade Shadow\jade.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\jade.ico
    • %ProgramFiles%\Zango Games\Jade Shadow\jade0.apk
    • %ProgramFiles%\Zango Games\Jade Shadow\JadeShadowInstall.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\JadeShadowInstaller.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\JadeShadowSetup.exe
    • %ProgramFiles%\Zango Games\Jade Shadow\JSReadME.htm
    • %ProgramFiles%\Zango Games\Jade Shadow\UNWISE.EXE
    • %ProgramFiles%\Zango Games\Jade Shadow\ZangoInstaller.exe
    • %UserProfile%\Start Menu\Programs\Zango\Uninstall Zango.lnk
    • %UserProfile%\Start Menu\Programs\Zango\Zango.com.url
    • %UserProfile%\Start Menu\Programs\Zango Games\Jade Shadow\Jade Shadow Readme.lnk
    • %UserProfile%\Start Menu\Programs\Zango Games\Jade Shadow\Jade Shadow.lnk
    • %UserProfile%\Application Data\Zango TvTimes\My Preference\Startup.xml
    • %UserProfile%\Application Data\Zango TvTimes\My Preference\TVTimesNotify.xml
    • %UserProfile%\Application Data\Zango TvTimes\My Preference\TVTimesPreference
    • %UserProfile%\Application Data\Zango TvTimes\Others\Default
    • %UserProfile%\Application Data\Zango TvTimes\Others\ErrorXml
    • %UserProfile%\Application Data\Zango TvTimes\Others\ErrorXmlBackUp
    • %UserProfile%\Application Data\Zango TvTimes\Others\General
    • %UserProfile%\Desktop\Jade Shadow.lnk
    • %UserProfile%\Desktop\ZangoTVTimes.lnk
    • %ProgramFiles%\Zango\Uninstall Zango Instructions.lnk
    • %ProgramFiles%\Zango\Zango.com.url
    • %ProgramFiles%\Zango Applications\Zango TV Times\ZangoTVTimes.lnk

    • %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\<Current User> (Windows NT/2000/XP).
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

  2. Adds the values:

    "zanu" = "%ProgramFiles%\ZangoClient\zanu.exe"
    "Zango TvTimes" = "C:\PROGRA~1\ZANGOA~1\ZANGOT~1\ZANGOT~1.EXE" :auto"

    to the registry subkey:


    so that the risk runs every time Windows starts.

  3. Creates the following the registry subkey:

    \Explorer\Browser Helper Objects\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}

    so that the security risk runs when Internet Explorer starts.

  4. Creates the following registry subkeys:

    \CurrentVersion\Uninstall\Jade Shadow
    \CurrentVersion\Uninstall\Zango TV Times

  5. Modifies the value:

    "LoginSessionDisable" = "1"

    in the registry subkey:

    HKEY_CURRENT_USER\Software\Microsoft\RAS Autodial\Control

    to prevent the computer from automatically establishing Dial-up connection when the security risk tries to access the Internet.

  6. Monitors the contents of Internet Explorer windows. When certain keywords are detected in Internet search or shopping browser windows, the security risk displays the Web page of a partner site.

  7. Monitors the state of the security risk and can repair it if it is partially removed.

Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube