Home / malwarePDF  

Trojan:Win32/Msidebar.C


First posted on 02 October 2012.
Source: Microsoft

Aliases :

Trojan:Win32/Msidebar.C is also known as Win32/Msidebar.A trojan (ESET).

Explanation :



Trojan:Win32/Msidebar.C is a trojan that registers itself as a BHO (Browser Helper Object). It may monitor a user's browsing habits and display pop-up advertisements.



Installation

Trojan:Win32/Msidebar is installed silently without user consent. When run, it drops the following files:

  • %ProgramFiles%\isearchplus\isearchsrvplus.dll - detected as Trojan:Win32/Msidebar.C
  • %ProgramFiles%\isearchplus\isearchsrvplus.exe - detected as Trojan:Win32/Msidebar.C
  • %ProgramFiles%\isearchplus\pawinsearch.dll - detected as Trojan:Win32/Msidebar.A


It registers its DLL component as a BHO by creating the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D78E773-9F0D-4AE4-B5B5-EB57DC5E46BD}
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DF9BF184-A254-4E65-A9DE-D9377F1671B5}
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\isearchplus 1.00
Sets value: "DisplayName"
With data: "isearchplus 1.00"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{92F1A805-5D8D-4EC8-BC31-8BFC4B3E3CED}\5.0
Sets value: "(default)"
With data: "searchadvancedplus"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{92F1A805-5D8D-4EC8-BC31-8BFC4B3E3CED}\5.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{92F1A805-5D8D-4EC8-BC31-8BFC4B3E3CED}\5.0\win32
Sets value: "(default)"
With data: "%ProgramFiles%\isearchplus\isearchsrvplus.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{92F1A805-5D8D-4EC8-BC31-8BFC4B3E3CED}\5.0\HELPDIR
Sets value: "(default)"
With data: "%ProgramFiles%\isearchplus"

In subkey: HKLM\SOFTWARE\Classes\Interface\{FAB6C28B-EC8B-4615-B4D6-DB96365C9967}
Sets value: "(default)"
With data: "_isearchsrvplus"

In subkey: HKLM\SOFTWARE\Classes\Interface\{FAB6C28B-EC8B-4615-B4D6-DB96365C9967}\TypeLib
Sets value: "(default)"
With data: "{92f1a805-5d8d-4ec8-bc31-8bfc4b3e3ced}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D78E773-9F0D-4AE4-B5B5-EB57DC5E46BD}
Sets value: "(default)"
With data: "searchadvancedplus.isearchsrvplus"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D78E773-9F0D-4AE4-B5B5-EB57DC5E46BD}\ProgID
Sets value: "(default)"
With data: "searchadvancedplus.isearchsrvplus"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D78E773-9F0D-4AE4-B5B5-EB57DC5E46BD}\InprocServer32
Sets value: "(default)"
With data: "%ProgramFiles%\isearchplus\isearchsrvplus.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D78E773-9F0D-4AE4-B5B5-EB57DC5E46BD}\TypeLib
Sets value: "(default)"
With data: "{92f1a805-5d8d-4ec8-bc31-8bfc4b3e3ced}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{6D78E773-9F0D-4AE4-B5B5-EB57DC5E46BD}\VERSION
Sets value: "(default)"
With data: "5.0"

In subkey: HKLM\SOFTWARE\Classes\searchadvancedplus.isearchsrvplus
Sets value: "(default)"
With data: "searchadvancedplus.isearchsrvplus"

In subkey: HKLM\SOFTWARE\Classes\searchadvancedplus.isearchsrvplus\Clsid
Sets value: "(default)"
With data: "{6d78e773-9f0d-4ae4-b5b5-eb57dc5e46bd}"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{FF8E61EC-A784-4DAA-B7CC-DD06F0C0431E}\7.0
Sets value: "(default)"
With data: "pawinsearchprg"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{FF8E61EC-A784-4DAA-B7CC-DD06F0C0431E}\7.0\FLAGS
Sets value: "(default)"
With data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{FF8E61EC-A784-4DAA-B7CC-DD06F0C0431E}\7.0\0\win32
Sets value: "(default)"
With data: "%ProgramFiles%\isearchplus\pawinsearch.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{FF8E61EC-A784-4DAA-B7CC-DD06F0C0431E}\7.0\HELPDIR
Sets value: "(default)"
With data: "%ProgramFiles%\isearchplus"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1696BDA0-397D-4A04-AAF5-8E75B56AA3C4}
Sets value: "(default)"
With data: "_pawinsearch"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1696BDA0-397D-4A04-AAF5-8E75B56AA3C4}\TypeLib
Sets value: "(default)"
With data: "{ff8e61ec-a784-4daa-b7cc-dd06f0c0431e}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{DF9BF184-A254-4E65-A9DE-D9377F1671B5}
Sets value: "(default)"
With data: "pawinsearchprg.pawinsearch"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{DF9BF184-A254-4E65-A9DE-D9377F1671B5}\ProgID
Sets value: "(default)"
With data: "pawinsearchprg.pawinsearch"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{DF9BF184-A254-4E65-A9DE-D9377F1671B5}\InprocServer32
Sets value: "(default)"
With data: "%ProgramFiles%\isearchplus\pawinsearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{DF9BF184-A254-4E65-A9DE-D9377F1671B5}\TypeLib
Sets value: "(default)"
With data: "{ff8e61ec-a784-4daa-b7cc-dd06f0c0431e}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{DF9BF184-A254-4E65-A9DE-D9377F1671B5}\VERSION
Sets value: "(default)"
With data: "7.0"

In subkey: HKLM\SOFTWARE\Classes\pawinsearchprg.pawinsearch
Sets value: "(default)"
With data: "pawinsearchprg.pawinsearch"

In subkey: HKLM\SOFTWARE\Classes\pawinsearchprg.pawinsearch\Clsid
Sets value: "(default)"
With data: "{df9bf184-a254-4e65-a9de-d9377f1671b5}"

Additional information

Trojan:Win32/Msidebar.C may monitor your browsing habits and display pop-up advertisements. It attempts to connect to "search.isearch.or.kr" using TCP port 80 to get additional configuration info.

At the time of this writing, this server is not accessible.



Analysis by Wei Li

Last update 02 October 2012

 

TOP