1. /
  2. Security Response/
  3. Adware.Kuaiso

Adware.Kuaiso

Updated:
July 25, 2006 7:50:18 AM
Type:
Adware
Risk Impact:
High
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Adware.Kuaiso is an adware program that installs an Internet Explorer toolbar and modifies the Internet Explorer start page and search page. It also connects to the toolsbar.kuaiso.com domain and displays ads.

This security risk is typically downloaded from the Internet or dropped by another threat.

Once installed, the risk creates the following files:
  • %ProgramFiles%\Kuaiso Toolsbar\+.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\-.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\basis.xml
  • %ProgramFiles%\Kuaiso Toolsbar\block.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\clean.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\film.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\find.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\hezuo.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\hightlightt.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\home.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\icons.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\kuaiso_06040.crc
  • %ProgramFiles%\Kuaiso Toolsbar\kuaiso_06040.dll
  • %ProgramFiles%\Kuaiso Toolsbar\lianmeng.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\msvcp60.dll
  • %ProgramFiles%\Kuaiso Toolsbar\msvcrt.dll
  • %ProgramFiles%\Kuaiso Toolsbar\newversion.txt
  • %ProgramFiles%\Kuaiso Toolsbar\ring.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\shengji.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\shoucang.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\standard_icons.bmp
  • %ProgramFiles%\Kuaiso Toolsbar\version.txt


It then modifies the following registry entries to change the Internet Explorer home page and search page:
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Bar" = "http://toolsbar.kuaiso.com/search.html"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page" = "http://toolsbar.kuaiso.com/search.html"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"SearchAssistant" = "http://toolsbar.kuaiso.com/search.html"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://toolsbar.kuaiso.com/index.htm"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Use Search Asst" = "No"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\"{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\"SearchAssistant" = "http://toolsbar.kuaiso.com/search.html"


The risk also creates the following registry subkeys:
  • HKEY_CLASSES_ROOT\CLSID\{6029B367-250A-4696-925C-641709CA7381}
  • HKEY_CLASSES_ROOT\CLSID\{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}
  • HKEY_CLASSES_ROOT\ToolBand.XBTP03129
  • HKEY_CLASSES_ROOT\ToolBand.XBTP03129.1
  • HKEY_CLASSES_ROOT\TypeLib\{55A0B315-0920-4DC0-A9D7-46770E24816B}
  • HKEY_CLASSES_ROOT\XBTB03129.IEToolbar
  • HKEY_CLASSES_ROOT\XBTB03129.IEToolbar.1
  • HKEY_CLASSES_ROOT\XBTB03129.XBTB03129
  • HKEY_CLASSES_ROOT\XBTB03129.XBTB03129.1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XBTB03129.XBTB03129Toolbar
  • HKEY_CURRENT_USER\Software\XBTB03129
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6029B367-250A-4696-925C-641709CA7381}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{6D53ADB7-6AD5-4A59-BFE4-7B57D2F4AA89}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{01E04581-4EEE-11D0-BFE9-00AA005B4383}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}


It then deletes the following regsitry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

The risk then connects to the toolsbar.kuaiso.com domain and displays ads.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver