1. /
  2. Security Response/
  3. Adware.PigSearch

Adware.PigSearch

Updated:
February 13, 2007 11:46:55 AM
Type:
Adware
Risk Impact:
High
File Names:
mouse.dll search.exe zsearch.exe hcalway.sys abhcop.sys
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

When Adware.PigSearch is executed, it performs the following actions:
  1. Installs itself into the following locations:

    • %ProgramFiles%\wsearch
    • %ProgramFiles%\HuaCi

      by creating some of the following files:

    • allverx.dat
    • Mouse.dll
    • mUninstall.exe
    • mupdate.exe
    • Search.exe
    • SearchM.dll
    • sysupdate.ini
    • _uninstall

      Note:
    • %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
    • The two Kernel mode drivers above act as a rootkit and prevent certain registry subkeys and files associated with the risk from being deleted. It achieves this by overwriting entries in the Service Descriptor Table.

  2. Creates the files:

    • %System%\drivers\abhcop.sys
    • %System%\drivers\hcalway.sys

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Adds the value:

    "MoveSearch" = "[PATH TO ADWARE]"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the risk runs every time Windows starts.

  4. Creates the following registry subkeys:

    HKEY_CLASSES_ROOT\CLSID\{594BE7B2-23B0-4FAE-A2B9-0C21CC1417CE}
    HKEY_CLASSES_ROOT\Interface\{4E1ACE40-F681-4CC4-A7C0-AD1E6C9AD86F}
    HKEY_CLASSES_ROOT\Interface\{A07E6B9B-BB30-4381-A9D8-FABB0648BCEF}
    HKEY_CLASSES_ROOT\TypeLib\{FD536575-73F7-42A3-9E9F-11688F1A006A}
    HKEY_CLASSES_ROOT\TypeLib\{C5CE084B-31E0-4B34-A33A-82B4EA913CF8}
    HKEY_CLASSES_ROOT\SearchM.Com
    HKEY_CLASSES_ROOT\SearchM.Com.1
    HKEY_CLASSES_ROOT\SearchM.Search
    HKEY_CLASSES_ROOT\SearchM.Search.1
    HKEY_CURRENT_USER\Software\Pig Move Search
    HKEY_CURRENT_USER\Software\MSWord\Search
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CDSearch

  5. Registers itself as a system service by adding the following registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\abhcop
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hcalway
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abhcop
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hcalway


  6. Creates the subkey

    »®´ÊËÑË÷

    under the subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Note: This subkey is encoded using GB2312 (Guojia Biaozhun) encoding which is the official character set of the Peoples Republic of China. If you do not have the appropriate language pack installed, the key will be displayed as garbled characters, as shown above.

  7. Creates the files:

    • %UserProfile%\Start Menu\Programs\Startup\»®´ÊËÑË÷.lnk
    • %UserProfile%\Start Menu\Programs\»®´ÊËÑË÷.lnk

      Note:
    • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP).
    • These filenames are encoded using GB2312 (Guojia Biaozhun) encoding which is the official character set of the Peoples Republic of China. If you do not have the appropriate language pack installed, the filenames will be displayed as garbled characters, as shown above.


Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report