-=[ D4wFl1N ]=-: Program:Win32/Seeearch

Aliases :

Program:Win32/Seeearch is also known as Adware.VlcPlayer (Dr.Web), IsolationAware (Sophos).

Explanation :

Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".

Top

Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".

Installation

When run, the fake installer displays the following graphic: It also displays an End User License Agreement: The installer displays an error message such as the following: It then drops the following files:

\Seeearch\seeearch.crc
\Seeearch\seeearch.dll
\Seeearch\start.html
\Seeearch\tbhelper.dll
\Seeearch\uninstall.exe
\Seeearch\update.exe
\Seeearch\21_pro.png
\Seeearch\58tuto02.jpg
\Seeearch\about.html
\Seeearch\basis.xml
\Seeearch\bookmark_256.png
\Seeearch\c1.png
\Seeearch\c2.png
\Seeearch\demo_logo.bmp
\Seeearch\demo_logo.bmp_16.bmp
\Seeearch\dice.png
\Seeearch\error.html
\Seeearch\facebook.png
\Seeearch\facebooklay.png
\Seeearch\favicon.ico
\Seeearch\football.png
\Seeearch\google_youtube.png
\Seeearch\icons.bmp
\Seeearch\icon_news.jpg
\Seeearch\kpat.png
\Seeearch\kpat2.png
\Seeearch\label_new_blue.png
\Seeearch\label_new_red.png
\Seeearch\littlelogo.png
\Seeearch\log.bmp
\Seeearch\log.bmp_30.bmp
\Seeearch\logotool.png
\Seeearch\logotoolbar.png
\Seeearch\loupe.png
\Seeearch\megaupload.png
\Seeearch\meteo.png
\Seeearch\money.png
\Seeearch\movies.png
\Seeearch\p1.png
\Seeearch\p2.png
\Seeearch\play.png
\Seeearch\refre.png
\Seeearch\refresh.png
\Seeearch\search_button_format_bing.png
\Seeearch\sims2_1.png
\Seeearch\social_youtube.png
\Seeearch\STREAM1.png
\Seeearch\STREAM2.png
\Seeearch\tweet.png
\Seeearch\twitter.png
\Seeearch\v1.png
\Seeearch\v2.png
\Seeearch\version.txt
\Seeearch\video.png
\Seeearch\weather.png
\Seeearch\youtube.png

Note : we observed that in the wild samples of Win32/Seeearch use the following folder locations as the "":
D:\%ProgramFiles%

The registry is modified to run Win32/Seeearch as a Browser Helper Object.
In subkey: HKLM\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "{1FDA7DDD-25CE-4034-9D5B-38A120A14218}"

To data: ""

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1

Sets value: "(default)"

To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1\CLSID

Sets value: "(default)"

To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar

Sets value: "(default)"

To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CLSID

Sets value: "(default)"

To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CurVer

Sets value: "(default)"

To data: "tbsb06155.ietoolbar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}

Sets value: "(default)"

To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\ProgID

Sets value: "(default)"

To data: "tbsb06155.ietoolbar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\VersionIndependentProgID

Sets value: "(default)"

To data: "tbsb06155.ietoolbar"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\InprocServer32

Sets value: "(default)"

To data: "\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CurVer
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\ProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\VersionIndependentProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\InprocServer32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0
Sets value: "(default)"
To data: "toolbar3 1.0 type library"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\FLAGS
Sets value: "(default)"
To data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\0\win32
Sets value: "(default)"
To data: "\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\HELPDIR
Sets value: "(default)"
To data: "\seeearch\"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}
Sets value: "(default)"
To data: "itoolbarobj"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}
Sets value: "(default)"
To data: "iposbho"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

When the web browser Internet Explorer is launched, Win32/Seeearch is visible as a toolbar: Program:Win32/Seeearch may display 'out-of-context' popup advertisements.

Analysis by Jonathan San Jose

-=[ D4wFl1N ]=-

Pages

27 September 2011

Program:Win32/Seeearch

0 comments:

Followers

Blog Archive

Partner Site

Entri Populer

Visitor