Threat Profile: Adware-Surfbar

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home N/A | Corporate N/A
Date Discovered: 9/3/2003
Date Added: 9/3/2003
Origin: Unknown
Length: Various
Type: Program
Subtype: Adware
DAT Required: 4291
Removal Instructions
   
 
 
   

Description

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Symptoms

N/A - this is not a virus or trojan, but a application.

Method

N/A - this is not a virus or trojan, but a application.

Aliases

Aduent, JunkSurf, Surferbar
   

Virus Characteristics

AVERT has received a few enquiries concerning this application.

It is believed that a recent Internet Explorer exploit has been taken advantage of in a spammed HTML formatted email message. The message contains specific ActiveX tags to take advantage of this exploit in order to execute a remote script.

The ActiveX content within the HTML message is detected as Exploit-ODREV with the specified DATs.

The remote script is detected as VBS/Inor . It drops and executes the following binary on the victim machine:

C:\DRG.EXE

This file is detected as Downloader-ED . When it is run, it connects to a remote server and downloads the Adware application.

For details concerning the exploit, and links to the necessary patch, follow the link below:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp

Application Installation

Upon installation many file system and Registry modifications are made.

The following files are installed in the Program Files directory:

 c:\Program Files\win32.dll (508,000 bytes)
 c:\Program Files\winsrv32.exe (6,657 bytes)

Both of these files are detected as Adware-Surfbar with the specified engine/DATs (with application type detections enabled - see below).

System startup is hooked via the following Registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Runonce "win32" = c:\program files\winsrv32.exe

The default startpage is modified via the following Registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet
    Explorer\Main "Start Page" = http://www.surferbar.com/

A toolbar is also installed on the local machine, via the following Registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
    Explorer\Toolbar
    "{FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}"

Many folders are created on the local machine, into which various URL shortcuts are dropped. A large proportion of these shortcuts are porn-related.

The following parent folders are created into which sub-folders containing these shortcuts are added:

c:\WINDOWS\Desktop\Adult Entertainment
c:\WINDOWS\Desktop\Casinos & Gambling
c:\WINDOWS\Desktop\Find a date
c:\WINDOWS\Favorites\Adult Entertainment
c:\WINDOWS\Favorites\Casinos & Gambling
c:\WINDOWS\Favorites\Find a date
c:\WINDOWS\Favorites\Search The Net
c:\WINDOWS\Start Menu\Adult Entertainment
c:\WINDOWS\Start Menu\Casinos & Gambling
c:\WINDOWS\Start Menu\Find a date
c:\WINDOWS\Start Menu\Programs\Adult Entertainment
c:\WINDOWS\Start Menu\Programs\Casinos & Gambling
c:\WINDOWS\Start Menu\Programs\Find a date
c:\WINDOWS\Start Menu\Programs\Search The Net
c:\WINDOWS\Start Menu\Venusseek

The following shortcuts are dropped onto the Windows desktop:

Adult Search.lnk (204 bytes)
Erotic Search.lnk (181 bytes)
Web Search.lnk (178 bytes)