Home / malwarePDF  

BrowserModifier:Win32/BaiduSobar


First posted on 23 August 2019.
Source: Microsoft

Aliases :

BrowserModifier:Win32/BaiduSobar is also known as Adware-BDSearch, W32/BaiduBar.A, ADW_BAIDUBAR.

Explanation :

BrowserModifier:Win32/BaiduSobar is a Web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page. BrowserModifier:Win32/BaiduSobar may also prevent removal by the user by protecting its installed files and registry keys. When BrowserModifier:Win32/BaiduSobar is run, it performs the following actions: Creates a folder in named 'baidu' in the %ProgramFiles% folder Creates additional subfolders and drops files within those folders:
%ProgramFiles%aiduaraidubar.dat
%ProgramFiles%aiduarBaiduBar.dll
%ProgramFiles%aiduarBDBar_tmpaidubar.dat
%ProgramFiles%aiduarBDBar_tmpimgimglist.bmp
%ProgramFiles%aiduarBDBar_tmpimglogo.bmp
%ProgramFiles%aiduarimgimglist.bmp
%ProgramFiles%aiduarimglogo.bmp
%ProgramFiles%aiduarBDBar_tmpaidubar.dat
%ProgramFiles%aiduarBDBar_tmpBaiduBar.dll
%ProgramFiles%aiduarBDBar_tmpBaiduBar.dll
%ProgramFiles%aiduarBDBar_tmpimgimglist.bmp Creates .URL files within the %ALLUSERSPROFILE%Start MenuPrograms folder Modifies the registry to run BrowserModifier:Win32/BaiduSobar as a browser helper object (BHO):
Adds values:
{77FEF28E-EB96-44FF-B511-3185DEA48697}InprocServer32(Default)
{7C76C055-ED6E-4535-A70F-CD476E727F67}InprocServer32(Default)
{A7F05EE4-0426-454F-8013-C41E3596E9E9}InprocServer32(Default)
{B580CF65-E151-49C3-B73F-70B13FCA8E86}InprocServer32(Default)
{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}InprocServer32(Default)
With data: %ProgramFiles%aiduarBaiduBar.dll      
To subkey: HKEY_CLASSES_ROOTCLSID
Adds value: {77FEF28E-EB96-44FF-B511-3185DEA48697}id
With data: bdbar
To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
Adds value: {B580CF65-E151-49C3-B73F-70B13FCA8E86}
With data: 0
To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerToolbar Modifies the registry with settings related to the functionality of BrowserModifier:Win32/BaiduSobar:
Adds values:
version
RunState
With data: 0x0
Adds values:
SearchBoxMode
ShowState
DisplayMode
DisplayLineMode
With data: 0x1
To subkey: HKEY_CURRENT_USERSoftwareBaiduBaiduBar
Adds values:
AllVoice_State
AllFlash_State
AllPic_State
With data: 0x0
To subkey: HKEY_CURRENT_USERSoftwareBaiduBaiduBarNoAD  Modifies the registry instructing BrowserModifier:Win32/BaiduSobar to allow advertisements from specific Web sites that may include any of the following strings in the source URL:
*.hao123.com*
*.baidu.com* Modifies the registry instructing BrowserModifier:Win32/BaiduSobar to disallow advertisements from specific Web sites that may include any of the following strings in the source URL:
*/ad.*        
*/imgad/*        
http://ad[0-9].*        
http://ads.        
*banner.*        
*/advpic*        
*doubleclick.*        
*/ad/*        
*/banner_img/*        
*/adbanners*        
*cnsmin.3721.com/*        
*/adv/*        
*/images_ad/*        
*/ads/*        
*/advlink/*        
*/banner*        
http://ad.*        
*banners/*        
*/adImages/*        
*.swf[a-z]*        
*images.sohu.com/cs/button/* Modifies the registry to alter search settings used by Internet Explorer:
Adds values:
CustomizeSearch_sb 
SearchAssistant_sb
With data: http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm        
In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSearch
Adds values:
CustomizeSearch
SearchAssistant
With data: http://bar.baidu.com/sobar/defaultsearch.html        
To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSearch Downloads a kernel mode driver that protects files and registry keys from being removed

Last update 23 August 2019

 

TOP

Malware :