1. /
  2. Security Response/
  3. Adware.SecureServicePk

Adware.SecureServicePk

Updated:
June 1, 2006 2:52:36 AM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.SecureServicePk is adware that inserts advertisements into the top of the result pages of some search Web sites.

The risk is installed as a Browser Helper Object DLL file.

Note: The DLL file is referenced by the following registry value:
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}\InProcServer32\"(Default)" = "[PATH TO DLL]"

When the risk is installed, it adds the following registry subkeys:
HKEY_CLASSES_ROOT\SecureServicePack.BHO.1
HKEY_CLASSES_ROOT\SecureServicePack.BHO
HKEY_CLASSES_ROOT\CLSID\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_CLASSES_ROOT\CLSID\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\Component Categories\{00021494-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE6A3E85-0F6C-49AD-8843-68FF44E7EEAA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DFEFF09F-785E-4191-8E5D-A7650A1C4F9A}
HKEY_CLASSES_ROOT\TypeLib\{90BB6171-83D8-43DE-94D4-6C0078DD7896}
HKEY_CLASSES_ROOT\Interface\{B5918C1E-B0CD-4123-A0CB-CFE9703A265B}

The risk monitors the URL of Internet Explorer to check if it is one of the following:
frazoo.com/results.php
dogpile.com/info.dogpl/search/web
xpsn.com/Search/SmartSearch4.asp
xpsn.com/Search/
yandex.
search.yahoo.com/
search.com/
overture.com/
search.netscape.com/
search.msn.com/
lycos.
hotbot.com/
google.
fastsearch.com/
.excite.
search.ebay.com/
cnn.com/
ask.com/
search.aol.com/
altavista.com/
alltheweb.com/

It then inserts an advertisement into the top of the search result page.

Note: It may cause a difficulty in viewing the result page due to the unexpected insertion of contents on some Web sites, such as www.yandex.ru.
Writeup By: Masaki Suenaga
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver