Home / malwarePDF  

BrowserModifier:Win32/PoinBag


First posted on 28 September 2011.
Source: SecurityHome

Aliases :

BrowserModifier:Win32/PoinBag is also known as ADSPY/Agent.uuf (Avira), Application.Generic.345990 (BitDefender), Win32/Adware.Interpop.A (ESET), not-a-virus:AdWare.Win32.Agent.uuf (Kaspersky), Trojan.Gen.2 (Symantec), Poinbag BHO (other).

Explanation :

BrowserModifier:Win32/Poinbag is a BHO that communicates with a remote server without adequate user consent and it may display contextual advertisements while in a browser session and using Yahoo! or Google search.
Top

BrowserModifier:Win32/Poinbag is a BHO that communicates with a remote server without adequate user consent and it may display contextual advertisements while in a browser session and using Yahoo! or Google search.

Installation
Win32/Poinbag be present as the following file:

  • %APPDATA%\pointbag_hidden.exe


When run, the registry is modified to run the installed file.

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "pointbag_shop_sv"
With data: "%APPDATA\pointbag_hidden.exe"

Additional registry data is created in the following subkeys:

HCR\clsid\{E2E7733E-F86C-4A47-BEF1-7A6268831EE1}
HLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2E7733E-F86C-4A47-BEF1-7A6268831EE1}
HCR\poinbag.poinbagBho.1
HCR\poinbag.poinbagBho

When the above file runs, it installs Win32/Pointbag as a BHO so that it executes when Internet Explorer (IE) is launched. When IE is launched, Win32/Pointbag communicates with a server "pointbag.kr" to report its installation.

While using search engines Yahoo! or Google, Win32/Pointbag may display various advertisements.



Analysis by Stefan Sellmer

Last update 28 September 2011

 

TOP