Home / malwarePDF  

BrowserModifier:Win32/BaiduSP


First posted on 01 July 2013.
Source: Microsoft

Aliases :

BrowserModifier:Win32/BaiduSP is also known as Trojan.BHO.ODX (BitDefender), Adware.ClickDLoader (Symantec), ADW_CLICKDLOADER (Trend Micro).

Explanation :



This browser modifier is a .dll file that redirects your Internet search results without your consent. Your search results from the address bar and "page not found" errors are redirected to baidu.com.

We have also seen a copy of the browser modifier try to download the Baidu Toolbar without consent.



Installation

BrowserModifier:Win32/BaiduSP is installed on your computer as the following files:

  • %ProgramFiles%\snav\snav.dll
  • %system32%\snav.dll
BrowserModifier:Win32/BaiduSP creates the following registry subkeys to install itself as a BHO (Browser Helper Objects) that is loaded automatically every time Internet Explorer is run: HKLM\SOFTWARE\Classes\Snav.SearchHook
HKLM\SOFTWARE\Classes\Snav.SearchHook.1 HKLM\SOFTWARE\Classes\CLSID\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626}
HKLM\SOFTWARE\Classes\CLSID\{91A9D6D5-AFEE-4748-82D7-737A523F63D5} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{635A7AFA-FB22-4A4E-8AB8-C85CFAB14626} HKLM\SOFTWARE\Classes\Snav.JsObject
HKLM\SOFTWARE\Classes\Snav.JsObject.1 HKLM\SOFTWARE\Classes\TypeLib\{4F87EBCD-FBF4-4ADD-980A-D9EDC6C8FDE5} HKLM\SOFTWARE\Classes\Interface\{65D94F33-028B-4CD1-8A89-E6E3129C90B0}
HKLM\SOFTWARE\Classes\Interface\{A9DFC1C4-7AB1-4B54-AC5B-F7093C9BB8D3} HKCU\Software\Snav\iexp Payload Modifies System Settings BrowserModifier:Win32/BaiduSP prevents the system from acquiring an Internet connection by dialing to an Internet Service Provider (ISP): Adds value: "LoginSessionDisable"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\RAS Autodial\Control It may monitor the URLs accessed by Internet Explorer and send this information to a remote server. It may also hijack Internet Explorer's search functionality to redirect all user searches to Baidu. It may also modify the Internet Explorer default search engine and default start page to Baidu-affiliated pages. It may prevent itself from being removed by communicating with its device driver component.

Analysis by Shawn Wang

Last update 01 July 2013

 

TOP

Malware :