Home / malware Adware.Zango.AN
First posted on 21 November 2011.
Source: BitDefenderAliases :
Adware.Zango.AN is also known as 180Solutions, 180SearchAssistant, Zango.
Explanation :
Adware.Zango is a potentially unwanted application with adware capabilities that runs in the background, monitors user search queries and displays ads based on them. It also installs a toolbar in Internet Explorer that changes its interface and display links related to user searches.
The application comes however with an EULA (license agreement) that explicitly specifies the software’s behavior and therefore, when agreed, Zango cannot be held responsible for this software.
When installed, Adware.Zango performs the following actions:
1. Creates its install folder with one of the following names:
%program-files%ango
%program-files%Seekmo
2. Creates the following files in the install dir:
in[version nr]CoreSrv.dll
in[version nr]HostIE.dll
in[version nr]HostOE.dll
in[version nr]HostOL.dll
in[version nr]InstIE.dll
in[version nr]OEAddOn.exe
in[version nr]Srv.exe
in[version nr]Toolbar.dll
in[version nr]Wallpaper.dll
in[version nr][install-name]SA.exe
in[version nr][install-name]SAAX.dll
in[version nr][install-name]SADF.exe
in[version nr][install-name]SAHook.dll
in[version nr][install-name]UnInstaller.exe
in[version nr]arrow.ico
in[version nr]copyright.txt
in[version nr]dBenderC.dll
in[version nr]firefoxextensionscomponents
pclntax.xpt
in[version nr]firefoxextensionsinstall.rdf
in[version nr]firefoxextensionsplugins
pclntax_[install-name]SA.dll
3. Adds the following values:
“[install-name]OE” = “%program-files%[install-name]in[version-nr]oeaddon.exe”
“[install-name]SA” = “%program-files%[install-name]in[version-nr][install-name]sa.exe”
to the registry subkey:
“HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun”
4. Adds:
“[install-name]” = “%program-files%[install-name]in[version-nr]hostie.dll”
as a CLSID to the registry subkeys:
“HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects”
“HKLMSoftwareMicrosoftInternet ExplorerToolbar”
4. Adds the following registry subkeys:
“HKCUSoftware[install-name]”
“HKCUSoftware[install-name]SA”
“HKLMSoftware[install-name]”
“HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall[install-name]”
“HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall[install-name]SA”
where:
[install-name] is either “Zango” or “Seekmo”.
"%program-files% refers to the Program Files folder (default is: C:Program Files).Last update 21 November 2011