Home / malwarePDF  

Program:Win32/TopGuide


First posted on 14 January 2012.
Source: Microsoft

Aliases :

There are no other names known for Program:Win32/TopGuide.

Explanation :

Program:Win32/TopGuide is a Korean-language browser helper object (BHO) that monitors search keywords and may redirect search queries to targeted advertisments.

It can also update its files and communicate with a remote server without adequate user consent.


Top

Program:Win32/TopGuide is a Korean-language browser helper object (BHO) that monitors search keywords and may redirect search queries to targeted advertisments.

It can also update its files and communicate with a remote server without adequate user consent.

Installation

When installed, Program:Win32/TopGuide may create the following files:

  • %ProgramFiles%\SmartTool\adc.acc
  • %ProgramFiles%\SmartTool\SmartTool.dll
  • %ProgramFiles%\SmartTool\SmartTool.exe
  • %ProgramFiles%\SmartTool\Uninstall.exe


It may also create the following registry entries as part of its installation routine:

In subkey: HKCU\Software\SmartTool
Sets value: "id"
With data: "SM83"
Sets value: "version"
With data: "1.0.0.6"

In subkey: HKCR\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}
Sets value: "(Default)"
With data: "SmartToolCtl Class"

In subkey: HKCR\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\InprocServer32
Sets value: "(Default)"
With data: "%ProgramFiles%\SmartTool\SmartTool.dll"
Sets value: "ThreadingModel"
With data: "Apartment"

In subkey: HKCR\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\ProgID
Sets value: "(Default)"
With data: "SmartTool.SmartToolCtl.1"

In subkey: HKCR\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\TypeLib
Sets value: "(Default)"
With data: "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"

In subkey: HKCR\CLSID\{2D891923-34B7-4186-9B47-752624535DC1}\VersionIndependentProgID"
Sets value: "(Default)"
With data: "SmartTool.SmartToolCtl"

In subkey: HKCR\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}
Sets value: "(Default)"
With data: "ISmartToolCtl"

In subkey: HKCR\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid
Sets value: "(Default)"
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCR\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\ProxyStubClsid32
Sets value: "(Default)"
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCR\Interface\{0F67A437-3336-4B2E-B211-D5BD3C6F5461}\TypeLib
Sets value: "(Default)"
With data: "{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}"
Sets value: "Version"
With data: "1.0"

In subkey: HKCR\SmartTool.SmartToolCtl
Sets value: "(Default)"
With data: "SmartToolCtl Class"

In subkey: HKCR\SmartTool.SmartToolCtl\CLSID
Sets value: "(Default)"
With data: "{2D891923-34B7-4186-9B47-752624535DC1}"

In subkey: HKCR\SmartTool.SmartToolCtl\CurVer
Sets value: "(Default)"
With data: "SmartTool.SmartToolCtl.1"

In subkey: HKCR\SmartTool.SmartToolCtl.1
Sets value: "(Default)"
With data: "SmartToolCtl Class"

In subkey: HKCR\SmartTool.SmartToolCtl.1\CLSID
Sets value: "(Default)"
With data: "{2D891923-34B7-4186-9B47-752624535DC1}"

In subkey: HKCR\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0
Sets value: "(Default)"
With data: "SmartTool 1.0 Type Library"

In subkey: HKCR\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\0\win32
Sets value: "(Default)"
With data: "C:\Program Files\SmartTool\SmartTool.dll"

In subkey: HKCR\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\FLAGS
Sets value: "(Default)"
With data: "0"

In subkey: HKCR\TypeLib\{E97662C9-6D8A-47A6-BBF6-17730FEE28F0}\1.0\HELPDIR
Sets value: "(Default)"
With data: "C:\Program Files\SmartTool\"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SmartTool
Sets value: "DisplayName"
With data: "SmartTool"
Sets value: "UninstallString"
With data: "C:\Program Files\SmartTool\Uninstall.exe"

Program:Win32/TopGuide also creates the following registry entry so that it automatically runs at every Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "SmartTool"
With data: "%ProgramFiles%\SmartTool\SmartTool.exe"

It registers its dropped DLL file as a BHO by running the following command:

regsvr32 /s "C:\Program Files\SmartTool\SmartTool.dll"

Program:Win32/TopGuide also creates a mutex named "SmartTool".

Additional information

Program:Win32/TopGuide checks if Internet Explorer is open to a webpage whose URL contains any of the following strings:

  • .akmall.com/search/
  • .cjmall.com/prd/front/search/
  • .dnshop.com/front/search/
  • .egloos.com
  • .enuri.com/view
  • .gsshop.com/search/
  • .hmall.com/front/scSearchL.
  • .lotte.com/search/searchMain.
  • .lotteimall.com/search/
  • .nseshop.com/jsp/item/item_search.
  • .yeoin.com/search/
  • .yes24.com/searchCenter/searchResult.
  • .zeromarket.com/openMall/search/
  • 100.nate.com
  • 100.naver.com
  • academic.naver.com
  • adhow.daum.net
  • adshop.paran.com
  • ask.nate.com
  • blog.chosun.com
  • blog.daum.net
  • blog.paran.com
  • book.nate.com
  • book.naver.com
  • cafe.daum.net
  • clix.bizshop.daum.net
  • club.cyworld.com
  • comics.nate.com
  • cyworld.com
  • dic.paran.com
  • enc.daum.net
  • endic.naver.com
  • engdic.daum.net
  • engdic.nate.com
  • estate.nate.com
  • finance.naver.com
  • hankyung.com
  • imagesearch.naver.com
  • imnews.imbc.com
  • jpdic.daum.net
  • jpdic.naver.com
  • k.daum.net
  • keywordshop.nate.com
  • ko.wikipedia.org
  • kordic.nate.com
  • kr.blog.yahoo.com
  • kr.dictionary.search.yahoo.com
  • kr.finance.yahoo.com
  • kr.fun.yahoo.com
  • kr.gugi.yahoo.com
  • kr.img.search.yahoo.com
  • kr.ks.yahoo.com
  • kr.news.yahoo.com
  • kr.product.shopping.yahoo.com
  • krdic.daum.net
  • krdic.naver.com
  • local.naver.com
  • mall.shinsegae.com/search/
  • map.cyworld.com
  • map.naver.com
  • media.daum.net
  • media.paran.com
  • mm.search.nate.com
  • movie.naver.com
  • music.naver.com
  • news.donga.com
  • news.nate.com
  • news.naver.com
  • olv.moazine.com
  • q.freechal.com
  • report.paran.com
  • review.nate.com
  • search.daum.net
  • search.dcinside.com/?
  • search.nate.com
  • search.naver.com
  • search.paran.com
  • search.yahoo.com
  • searchad.naver.com
  • shopping.daum.net
  • tourguide.tourexpress.com
  • tvpot.daum.net
  • video.cyworld.com
  • video.naver.com
  • www.aladdin.co.kr
  • www.hanatour.com
  • www.mgoon.com


If Internet Explorer is open to a website containing any of these strings in the URL then Program:Win32/TopGuide attempts to determine the keyword based on the URL. If found, it sends this keyword to an advertisement server as in the following format, possibly resulting in the redirection of the search result:

http://topguide.co.kr/bar.asp?k=%s&id=%s&m=%s

Program:Win32/TopGuide attempts to check and install newer versions by connecting to the server "sm.plustab.co.kr".



Analysis by Mihai Calota

Last update 14 January 2012

 

TOP

Malware :