Home / malwarePDF  

BrowserModifier:Win32/Zwangi


First posted on 29 October 2012.
Source: Microsoft

Aliases :

BrowserModifier:Win32/Zwangi is also known as Mal/BHO-S (Sophos), Spyware.Screenspy (Symantec).

Explanation :



BrowserModifier:Win32/Zwangi is a program that runs as a service in the background and modifies Internet browser search functionality.

Installation

Upon installation, BrowserModifier:Win32/Zwangi creates the following folders and drops files in the following format; the file name varies, and is dependent on the screen name used by Zwangi:



  • Directory format:

    • %ProgramFiles%\<Screen name>
    • %APPDATA%\<Screen name>
  • File name format:

    • <Screen name>.dll
    • <Screen name>.exe
    • Uninstall.exe


Where <Screen name> can be any of the names listed below:

  • BarDiscover
  • BarQuery
  • BasicScan
  • BrowserDiscover
  • BrowserQuery
  • BrowserQuest
  • BrowserSeek
  • BrowserZinc
  • Findbasic
  • FindXplorer
  • Kwanzy
  • KwinzySrch
  • QueryBar
  • QueryBrowse
  • QueryBrowser
  • QueryBrwSearch
  • QueryExplorer
  • QueryScan
  • QueryService
  • QuestBasic
  • QuestBrowse
  • QuestBrowser
  • QuestBrwSearch
  • QuestDns
  • QuestResult
  • QuestScan
  • QuestService
  • QuestUrl
  • ResulCmd
  • ResultBar
  • ResultBrowse
  • ResultBrowser
  • ResultDns
  • ResultScan
  • ResultTool
  • ResultUrl
  • ScanBasic
  • ScanQuery
  • Seekapp
  • SeekappSrch
  • SeekDns
  • SeekeenSrch
  • SeekService
  • SpaceQuery
  • TabDiscover
  • TabQuery
  • Weemi
  • WinkZink
  • Wyeke
  • Wyyo
  • ZinkSeek
  • Zinkzo
  • Zwangie
  • ZwangiSearch
  • ZwangiSrch
  • ZwankySearch
  • Zwunzi


For example:



  • Directory

    • %ProgramFiles%\Zwangi
    • %APPDATA%\Zwangi

  • Files

    • zwangi.dll
    • zwangi.exe
    • uninstall.exe

  • Directory

    • %ProgramFiles%\QuestBrwSearch
    • %APPDATA%\QuestBrwSearch

  • Files

    • questbrwsearch.dll
    • questbrwsearch.exe
    • uninstall.exe


You can see some examples of different names used by BrowserModifier:Win32/Zwangi in the Uninstall Wizards below:



It also drops the following file under the %APPDATA%\<Screen name> folder:

  • zwangi127.exe


The names of the initial dropped file also depend on the screen name and the software version; it uses the following format:



  • <Screen name><version>.exe



For example:

  • zwangi127.exe
  • questbrowse126.exe


Win32/Zwangi then creates the following registry entries as part of its installation routine:

In subkey: HKLM\Software\<Screen name>
Sets value: "Cid"
With data: " 15bf554626ae4a81a3a9a064ccdac23c"
Sets value: "DllPath"
With data: "%ProgramFiles%\<Screen name>\<Screen name>.dll"
Sets value: "Partner"
With data: "<Screen name><version>"
Sets value: "Primary"
With data: "23, 35, 00, 00"
Sets value: "ShowBarSign"
With data: "00, 00, 00, 00"
Sets value: "ShowToolbarButton"
With data: "00, 00, 00, 00"
Sets value: "Src"
With data: "<Screen name>"
Sets value: "Version"
With data: "1B, 00, 01, 00"

In subkey: HKLM\Software\Microsoft\Windows\Currentversion\Uninstall\<Screen name>
Sets value: "Display name "
With data: "<screen name> <version> <build number>"

Win32/Zwangi installs itself as a service by creating the following registry keys and its associated entries:

Adds subkey: HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_<Screen name>_SERVICE

In subkey: HKLM\SYSTEM\ControlSet001\Services\ZwangiSearch Service
Sets value: "Description"
With data: "Update and control for <Screen name>"
Sets value: "Display name"
With data: " <Screen name>Search Service"
Sets value: "ErrorControl"
With data: "00, 00, 00, 00"
Sets value: "ImagePath"
With data: "%APPDATA%\<Screen name>Search\<Screen name><version>.exe" "%ProgramFiles%\<Screen name>Search\<Screen name>.dll"
Sets value: "ObjectName"
With data: "LocalSystem"
Sets value: "Start"
With data: "02, 00, 00, 00"
Sets value: "Type"
With data: "10, 00, 00, 00"

In the wild, we have observed Win32/Zwangi running on the following browsers:

  • Firefox 3.6
  • Google Chrome Beta
  • Internet Explorer 6
  • Internet Explorer 7
  • Internet Explorer 8
Program behavior

Modifies browsing behavior

When you enter keywords in the browser address bar, Win32/Zwangi turns it into an Internet search box by opening a search results page in its own webpage, such as the following:

  • questbrowse.com
  • weemi.com
  • zwangi.com


The address bar is the usual location in which the URL is typed.

Win32/Zwangi may also replace or override the error page that is normally displayed when the browser accesses a web address that cannot be resolved (HTTP error 404).

Displays pop-up messages

Win32/Zwangi may display popup messages related to the following keywords:





  • agent
  • agente
  • amo
  • amore
  • amour
  • arte
  • artes
  • arts
  • asta
  • auction
  • auktion
  • book
  • boutique
  • call
  • chat
  • chiesa
  • church
  • cia
  • ciao
  • ciaq
  • club
  • clube
  • compare
  • dds
  • deporte
  • ditta
  • dvd
  • eglise
  • enchere
  • escola
  • escuela
  • esporte
  • famiglia
  • familia
  • familie
  • famille
  • family
  • find
  • free
  • game
  • ges
  • gmbh
  • golf
  • gratis
  • gratuit
  • hola
  • iglesia
  • igreja
  • inc
  • jeu
  • jogo
  • juego
  • kids
  • kirche
  • kunst
  • laden
  • law
  • legge
  • lei
  • leilao
  • ley
  • liebe
  • llc
  • llp
  • loi
  • loja
  • love
  • ltd
  • makler
  • map
  • med
  • movie
  • mp3
  • phone
  • recht
  • reise
  • resto
  • school
  • schule
  • scifi
  • scuola
  • search
  • shop
  • soc
  • spiel
  • sport
  • stock
  • subasta
  • tec
  • tech
  • tel
  • test
  • tienda
  • travel
  • turismo
  • verein
  • viagem
  • viaje
  • video
  • voyage
  • weather




Analysis by Michael Johnson, Zarestel Ferrer & Wei Li

Last update 29 October 2012

 

TOP

Malware :