Home / malwarePDF  

Adware:Win32/InfoTab


First posted on 23 August 2011.
Source: SecurityHome

Aliases :

There are no other names known for Adware:Win32/InfoTab.

Explanation :

Adware:Win32/InfoTab is a program that collects browsing data and monitors search keywords that is then utilized in order to serve targeted advertising to the affected user.

It also updates files, downloads other files, and communicates with a remote server without adequate user consent.


Top

Adware:Win32/InfoTab is a program that collects browsing data and monitors search keywords that is then utilized in order to serve targeted advertising to the affected user.

It also updates files, downloads other files, and communicates with a remote server without adequate user consent.



Installation

Upon installation, Adware:Win32/InfoTab drops the following files in the computer:

  • %ProgramFiles%\InfoTab\adc.dll
  • %ProgramFiles%\InfoTab\InfoTab.dll
  • %ProgramFiles%\InfoTab\InfoTab.exe
  • %ProgramFiles%\InfoTab\uninstall.exe


Adware:Win32/InfoTab creates the following subkeys:

  • HKCU\Software\InfoTab
  • HKLM\SOFTWARE\Classes\InfoTab.InfoTabCtl
  • HKLM\SOFTWARE\Classes\InfoTab.InfoTabCtl.1
  • HKLM\SOFTWARE\Classes\TypeLib\{13632FB5-3578-4CDA-8824-D5A7B94C3CC1}
  • HKLM\SOFTWARE\Classes\Interface\{2DBFA4B9-874D-4899-A36A-AB7F5723B5E1}
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InfoTab
  • HKLM\SOFTWARE\Classes\AppID\InfoTab.DLL
  • HKLM\SOFTWARE\Classes\CLSID\{48F1AF48-D3C1-4980-8936-2606884FA24D}
  • HKLM\SOFTWARE\Classes\AppID\{C958CEF3-2ADB-4322-9B48-A3F61D95B723}


It also adds the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "InfoTab"
With data: "%ProgramFiles%\infotab\infotab.exe"

It also adds the following subkey, values, and data to add an uninstall entry in the Add/Remove programs list:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InfoTab Sets value: "UninstallString"
With data: "%ProgramFiles%\infotab\uninstall.exe"

Adware:Win32/InfoTab creates the mutex "InfoTab".

After it completes installation, Adware:Win32/InfoTab reports the following information to the server "infotab.co.kr":

  • Program version
  • Computer's MAC address
  • Computer's ID


It also downloads the configuration file "PlusTab.ini" from the same server without the user's knowledge.

Execution

Sets up system hooks for monitoring

Adware:Win32/InfoTab checks for the following process names if they exist in the computer. If not, it sets up API hooks to be used for monitoring activity.

  • topguide.exe
  • plustab.exe
  • infowise.exe


Monitors keywords

Adware:Win32/InfoTab monitors URL accessed by the computer and captures search keywords if the URL contains any of the following strings:

  • search.dcinside.com/?
  • finding.about.co.kr/Search/Search.
  • .kyobobook.
  • /search/SearchCommonMain.
  • .career.co.kr/jobs/list/search_detail_list.
  • .ogage.co.kr/shop/search_V4.
  • .aladin.co.kr/search/wsearchresult.
  • .enuri.com/view
  • .yes24.com/searchCenter/searchResult.
  • search.11st.
  • .mm.co.kr/category/
  • .bb.co.kr/main/search/
  • search.danawa.
  • .yeoin.com/search/
  • .nseshop.com/jsp/item/item_search.
  • .zeromarket.co.kr/openMall/search/
  • .zeromarket.com/openMall/search/
  • .akmall.com/search/
  • .lotteimall.com/search/
  • .hmall.com/front/scSearchL.
  • .lotte.com/search/searchMain.
  • mall.shinsegae.com/search/
  • .gsshop.com/search/
  • .cjmall.com/prd/front/search/
  • .dnshop.com/front/search/
  • search.interpark.
  • search.gmarket.
  • search.auction.
  • bing.joinmsn.
  • .egloos.com
  • blog.paran.com
  • kr.blog.yahoo.com
  • media.daum.net
  • finance.naver.com
  • yonhapnews.co.kr
  • hankyung.com
  • news.msn.co.kr
  • cyworld.com
  • blog.chosun.com
  • blog.daum.net
  • cafe.daum.net
  • mydaily.co.kr
  • imnews.imbc.com
  • news.donga.com
  • map.naver.com
  • mt.co.kr/view/mtview
  • tvdaily.co.kr
  • search.paran.com
  • report.paran.com
  • olv.moazine.com
  • www.aladdin.co.kr
  • www.hanatour.com
  • tourguide.tourexpress.com
  • korean.visitkorea.or.kr
  • kr.fun.yahoo.com
  • dic.paran.com
  • media.paran.com
  • adshop.paran.com
  • estate.nate.com
  • comics.nate.com
  • engdic.nate.com
  • kordic.nate.com
  • 100.nate.com
  • keywordshop.nate.com
  • map.cyworld.com
  • book.nate.com
  • search.nate.com
  • video.cyworld.com
  • mm.search.nate.com
  • review.nate.com
  • ask.nate.com
  • news.nate.com
  • club.cyworld.com
  • search.yahoo.com
  • kr.gugi.yahoo.com
  • kr.news.yahoo.com
  • tvpot.daum.net
  • kr.product.shopping.yahoo.com
  • kr.ks.yahoo.com
  • kr.img.search.yahoo.com
  • kr.dictionary.search.yahoo.com
  • kr.finance.yahoo.com
  • search.daum.net
  • clix.bizshop.daum.net
  • adhow.daum.net
  • k.daum.net
  • shopping.daum.net
  • krdic.daum.net
  • jpdic.daum.net
  • engdic.daum.net
  • enc.daum.net
  • q.freechal.com
  • search.pandora.tv
  • www.mgoon.com
  • search.naver.com
  • 100.naver.com
  • searchad.naver.com
  • video.naver.com
  • jpdic.naver.com
  • krdic.naver.com
  • endic.naver.com
  • ko.wikipedia.org
  • local.naver.com
  • academic.naver.com
  • news.naver.com
  • movie.naver.com
  • book.naver.com
  • music.naver.com
  • imagesearch.naver.com
  • myoverture.co.kr


Intercepted keywords are sent to "topguide.co.kr/bar.asp" and the resulting page is displayed in the web browser.



Analysis by Zarestel Ferrer

Last update 23 August 2011

 

TOP

Malware :