Home / malwarePDF  

Trojan.Buenosearch


First posted on 10 March 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Buenosearch.

Explanation :

Once executed, the Trojan creates the following files:
%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ydui6lj.default\searchplugins\buenosearchkms.xml%SystemDrive%\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3ydui6lj.default\searchplugins\MyOnlineSearch.xml%SystemDrive%\Documents and Settings\Administrator\Application Data\BabSolution\Shared\BabMaint.exe%SystemDrive%\Documents and Settings\Administrator\Application Data\BabSolution\Shared\BUSolution.dll%SystemDrive%\Documents and Settings\Administrator\Application Data\BabSolution\Shared\GUninstaller.exe%SystemDrive%\Documents and Settings\Administrator\Application Data\BabSolution\Shared\SetupParams.ini%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\app.ini%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\bEfQpjlb.dll%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\buenosearch.exe%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\buenosetup.exe%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\GUninstaller.exe%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\ieds.xml%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\mlRhbflk.dll%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\res.dll%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\rvt.js%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\serp.js%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\sqlite.dll%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Bb1C.exe%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Bb1C.tmp%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\BuenoSearch.exe%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\nsi1D.tmp\Registry.dll%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_f48.dat%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temp\SetupParams.ini%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\09E7C563\bi[1].js%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\09E7C563\buscts[1].zpb%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\09E7C563\dpk[1].js%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\09E7C563\GUninstaller_vt[1].zpb%SystemDrive%\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\09E7C563\kmsbuenosearch[1].zpb%Windir%\Prefetch\BABMAINT.EXE-2982DCC8.pf%Windir%\Prefetch\BB1C.EXE-073CBA42.pf%Windir%\Prefetch\BUENOSEARCH.EXE-2659BE66.pf%Windir%\Prefetch\BUENOSEARCH.EXE-2E0FE336.pf%Windir%\Prefetch\BUENOSEARCH_1.3.12.9_CN.EXE-087A759A.pf%Windir%\Prefetch\BUENOSETUP.EXE-3A9AF093.pf%Windir%\Prefetch\CA02657BC13BBD55D88E094399B9D-076FE53B.pf%Windir%\Prefetch\DSEARCHLINK.EXE-1221C861.pf%Windir%\Prefetch\GUNINSTALLER.EXE-2CEA4CFA.pf%Windir%\Prefetch\RUNDLL32.EXE-3BA21BD4.pf%Windir%\Prefetch\SCHTASKS.EXE-0CBF6A11.pf%Windir%\Prefetch\SETUP.EXE-01E7FD2A.pf%Windir%\Prefetch\SETUP.EXE-04533526.pf%Windir%\Tasks\EPUpdater.job
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Run\"Buenosearch" = "%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\buenosearch.exe"
The Trojan also creates the following registry entries:
HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"buenosetup.exe" = "4A38"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\"buenosearch.exe" = "4A38"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\"DisplayName" = "Bueno Search"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\"URL" = "http://www.buenosearch.com/?q={searchTerms}&babsrc=SP_ss&mntrId=74470019B9098468&affID=128129&tsp=5547"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\"SuggestionsURLFallback" = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"DisplayName" = "Buenosearch"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"UninstallString" = ""%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\GUninstaller.exe" -rmbus buenosearch -nontfy -key "buenosearch""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"DisplayIcon" = ""%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\buenosetup.exe""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"Publisher" = "Buenosearch"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"NoModify" = "1"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"NoRepair" = "1"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Windows\CurrentVersion\Uninstall\buenosearch\"OrigUninstString" = ""%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\buenosetup.exe" /uninstl"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"APPORDR" = "CE86E6560D835DF0"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"prm1" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"prm2" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"prm3" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"prm4" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"prm5" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"country" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"lng" = ""HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\instl\data\"insllPgLoad" = "true"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Classes\keepmysearch\uninstl\"buenosearchkms" = "%SystemDrive%\Documents and Settings\Administrator\Application Data\buenosearch\buenosearch\1.3.12.9\buenosetup.exe"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\BabSolution\Updater\Instances\buenosearch\"Report" = "kms_bueno"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\BabSolution\Updater\"cr_ver" = "0"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\BabSolution\Updater\"Task_st" = "3"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\"Tabs" = "res://ieframe.dll/tabswelcome.htm"HKEY_USERS\S-1-5-21-3867651352-1424935759-6573989-500\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://www.buenosearch.com/?babsrc=HP_kms&affID=128129&tt=&mntrid=74470019B9098468&tsp=5547"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\"Tabs" = "http://www.buenosearch.com/?babsrc=NT_kms&affID=128129&tt=&mntrid=74470019B9098468&tsp=5547"
The Trojan then changes the internet browser settings on the compromised computer without the user's consent.

Last update 10 March 2015

 

TOP