1. /
  2. Security Response/
  3. Adware.SearchNet

Adware.SearchNet

Updated:
July 19, 2006 7:46:24 PM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.SearchNet is adware that modifies the Internet Explorer default search page.

When the risk is first installed, it creates the following files:
%Windir%\Downloaded Program Files\[RANDOM NAME].dll
%Windir%\Downloaded Program Files\[RANDOM NAME].dll
%System%\drivers\Anfad.sys
%System%\drivers\[RANDOM NAME].sys
%System%\drivers\FAD.sys
%System%\drivers\[RANDOM NAME].sys
%System%\ServeHost.dat
%System%\ServeHost.exe
%ProgramFiles%\SearchNet\SearchNet.exe
%ProgramFiles%\SearchNet\ServeUp.exe
%ProgramFiles%\SearchNet\SNHpr.dll
%ProgramFiles%\SearchNet\SrvNet32.dll
%ProgramFiles%\SearchNet\UnInstall.exe

Next, the risk creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{04152c5b-7ca9-4bb1-8077-5ea42f787eb8}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{515bafd0-86a0-4b2a-9dfe-4440bf60c355}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{5c20c0e0-9a22-424f-92c8-6f408563ce98}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{93506e82-31e9-47b4-901e-2d04d6aa3b86}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{b9b553a9-77ff-44de-8c24-fe88ccdc4e93}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{c8a82950-abe8-4b7d-a5de-19c249a9cfac}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{cf3780c4-33ba-44bd-981f-e37940887d8b}
HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}

Then the risk creates the following registry subkeys so that it runs as a service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]

Next the risk creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Main\"Enable Browser Extensions" = "yes"

Then, the risk creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"CdnCtr" = ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SearchNet_Up" = "%ProgramFiles%\SearchNet\ServeUp.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = rundll32 "%Windir%\Downloaded Program Files\[RANDOM NAME].dll"

Adware.SearchNet is a Browser Helper Object that replaces the default search page in Internet Explorer, so that each search is redirected to the following domain:
zhongsou.com

The risk uses kernel mode drivers to protect its files and registry keys from being deleted, so to remove this threat it is necessary to restart the machine in recovery console mode. The threat will also try to delete folders or registry keys related to the CnsMin Browser Helper Object.
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report