Home / malwarePDF  

BrowserModifier:Win32/WebEnhancementsMedia


First posted on 06 September 2011.
Source: SecurityHome

Aliases :

There are no other names known for BrowserModifier:Win32/WebEnhancementsMedia.

Explanation :

BrowserModifier:Win32/WebEnhancementsMedia is a browser modifier that displays advertisements on a user€™s Facebook page, and enables the user to alter the background of Facebook.


Top

BrowserModifier:Win32/WebEnhancementsMedia is a browser modifier that displays advertisements on a user€™s Facebook page, and enables the user to alter the background of Facebook.



Installation

Upon installation, BrowserModifier:Win32/WebEnhancementsMedia creates the following directory:

  • %ProgramFiles%\WebEnhancements


It may also create the following files:

  • %ProgramFiles%\WebEnhancements\WebEnhancements.dll - the BHO component
  • %ProgramFiles%\WebEnhancements\WebEnhancements.xpi - the Firefox extension
  • %ProgramFiles%\WebEnhancements\Uninstall.exe - an uninstaller


BrowserModifier:Win32/WebEnhancementsMedia may add the following files to create a Firefox extension:

  • chrome.manifest
  • install.rdf
  • content\
  • ff-overlay.xul
  • overlay.js
  • jquery-1.3.2_nd.js
  • myscript.js


BrowserModifier:Win32/WebEnhancementsMedia may install itself as a Browser Helper Object (BHO) by making the following changes to the registry:

Adds the following subkeys:

HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}
HKLM\SOFTWARE\Classes\Interface\{60977D31-766E-45AB-8CAD-93EDECE7C2E9}
HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}
HKLM\SOFTWARE\Classes\facerange.StockBar
HKLM\SOFTWARE\Classes\facerange.StockBar.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}
Sets value: <default>
With data: "Web Enhancements"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}\InprocServer32
Sets value: <default>
With data: "C:\\Program Files\\WebEnhancements\\WebEnhancements.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}\ProgID
Sets value: <default>
With data: "facerange.StockBar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}\Programmable
Sets value: <default>
With data: €œhex(0):,00€

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}\TypeLib
Sets value: <default>
With data: "{89E96460-93F7-40B6-A4D7-1E8079283BD7}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}\VersionIndependentProgID
Sets value: <default>
With data: "facerange.StockBar"

In subkey: HKLM\SOFTWARE\Classes\Interface\{60977D31-766E-45AB-8CAD-93EDECE7C2E9}
Sets value: <default>
With data: "IStockBar"

In subkey: HKLM\SOFTWARE\Classes\Interface\{60977D31-766E-45AB-8CAD-93EDECE7C2E9}\ProxyStubClsid32
Sets value: <default>
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{60977D31-766E-45AB-8CAD-93EDECE7C2E9}\ProxyStubClsid
Sets value: <default>
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{60977D31-766E-45AB-8CAD-93EDECE7C2E9}\TypeLib
Sets value: <default>
With data: "{89E96460-93F7-40B6-A4D7-1E8079283BD7}"
Sets value: "Version"
With data: "1.0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}
Sets value: <default>
With data: "hex(0):,00"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}\1.0
Sets value: <default>
With data: "facerange 1.0 Type Library"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}\1.0\0
Sets value: <default>
With data: €œhex(0):,00€

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}\1.0\0\win32
Sets value: <default>
With data: "C:\\Program Files\\WebEnhancements\\WebEnhancements.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}\1.0\FLAGS
Sets value: <default>
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{89E96460-93F7-40B6-A4D7-1E8079283BD7}\1.0\HELPDIR
Sets value: <default>
With data: "C:\\Program Files\\WebEnhancements"

In subkey: HKLM\SOFTWARE\Classes\facerange.StockBar.1
Sets value: <default>
With data: "Web Enhancements"

In subkey: HKLM\SOFTWARE\Classes\facerange.StockBar.1\CLSID
Sets value: <default>
With data: "{CC0F2900-8A5B-4D0D-9E44-10435BC40774}"

In subkey: HKLM\SOFTWARE\Classes\facerange.StockBar
Sets value: <default>
With data: "StockBar Class"

In subkey: HKLM\SOFTWARE\Classes\facerange.StockBar\CLSID
Sets value: <default>
With data: "{CC0F2900-8A5B-4D0D-9E44-10435BC40774}"

In subkey: HKLM\SOFTWARE\Classes\facerange.StockBar\CurVer
Sets value: <default>
With data: "facerange.StockBar.1"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC0F2900-8A5B-4D0D-9E44-10435BC40774}
Sets value: <default>
With data: "Web Enhancements Browser Plugin"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebEnhancements
Sets value: "DisplayName"
With data: "WebEnhancements"
Sets value: "HelpLink "
With data: "hxxp://www.quantrologic.com"
Sets value: "Inno Setup: App Path"
With data: "C:\\Program Files\\WebEnhancements"
Sets value: "Inno Setup: Icon Group"
With data: "WebEnhancements"
Sets value: "Inno Setup: Language"
With data: "english"
Sets value: "Inno Setup: Setup Version"
With data: "5.4.0 (a)"
Sets value: "Install Location"
With data: "C:\\Program Files\\WebEnhancements"
Sets value: "Publisher"
With data: "QUANTROLOGIC"
Sets value: "URLInfoAbout"
With data: "hxxp://www.quantrologic.com"
Sets value: "URLUpdateInfo"
With data: "hxxp://www.quantrologic.com"
Sets value: "UninstallString"
With data: "C:\\Program Files\\WebEnhancements\\Uninstall.exe"

Once installed in Internet Explorer, the program's presence can be seen in the 'Manage Add-ons' window that can be accessed from the Tools menu. The image below displays a 'Manage Add-ons' window with the program listed as 'Web Enhancements'.



BrowserModifier:Win32/WebEnhancementsMedia may install itself as a BHO in Mozilla Firefox by making the following changes to the registry:

In subkey: HKLM\SOFTWARE\Mozilla\Firefox\Extensions
Sets value: "{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}"
With data: "C:\\Program Files\\WebEnhancements\\WebEnhancements.xpi"

Once installed in Mozilla Firefox, the program's presence can be seen in the €˜Add-ons Manager' window. The image below displays a 'Add-ons Manager' window with the program listed as 'Facebook Customizer€™:



BrowserModifier:Win32/WebEnhancementsMedia may bundle itself with a legitimate no-cost program. The image below shows the program distributing itself with xvid, a legitimate video codec.



Additional information

BrowserModifier:Win32/WebEnhancementsMedia may display advertisements on a user€™s Facebook page, such as those seen in the image below:



BrowserModifier:Win32/WebEnhancementsMedia enables the user to change the background of Facebook pages by allowing the user to upload a picture; below is an example of the a Facebookpage with an uploaded sunset image:



We have observed BrowserModifier:Win32/WebEnhancementsMedia being bundled with other programs, such as the following:

  • Installmonetizer
  • Clickcoupon
  • Hotbar detected as Adware:Win32/Hotbar
  • Babylon
  • Real Player
  • With these bundlings the user may find the following directories on their machine:
  • Click Coupon
  • Search Dock
  • Viasheep Games




Analysis by Michael Johnson

Last update 06 September 2011

 

TOP

Malware :