Home / malwarePDF  

BrowserModifier:Win32/BuddySearchBar


First posted on 17 May 2010.
Source: SecurityHome

Aliases :

BrowserModifier:Win32/BuddySearchBar is also known as Win32/Adware.BonusCash.AA (ESET).

Explanation :

BrowserModifier:Win32/BuddySearchBar is a program that may be installed as an add-on to the Web browser Internet Explorer, and displays what appears to be contextual advertisements based on the affected user's search.
Top

BrowserModifier:Win32/BuddySearchBar is a program that may be installed as an add-on to the Web browser Internet Explorer, and displays what appears to be contextual advertisements based on the affected user's search. The browser modifier may also download and install updates onto the affected computer. Installation Web Browser Help Object BrowserModifier:Win32/BuddySearchBar can install it self as a Web Browser Help Object (BHO) in Internet Explorer, and may be present in the following file: %programfiles%\Buddy Search\bdbho.dll When executed, the browser modifier installs itself as a BHO and makes the following registry modifications: Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{4A3FF101-B128-493B-B552-9A58E5E578C6} Adds value: "(Default)" With data: "Buddy Search" Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{4A3FF101-B128-493B-B552-9A58E5E578C6}\InProcServer32 Adds value: "(Default)" With data: <location of program> Note: <location of program> is defined as the full path of the file that is installed as a BHO on the user's machine. Adds value: "ThreadingModel" With data: ="Apartment" Creates subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A3FF101-B128-493B-B552-9A58E5E578C6} Adds value: "(Default)" With data: €œ€ Adds value: "NoExplorer" With data: = dword:00000001 Creates subkey: HKCU\Software\Buddy Search Adds value: "ForceUpdateDate" With data: €œ<variable date>€ For example, "5/10/2010 5:03:48 PM" Adds value: "RecoveryDate" With data: €œ<variable date>€ For example, "5/10/2010 5:03:48 PM" Adds value: "UpdateDate" With data: €œ<variable date>€ For example, "5/10/2010 5:03:48 PM" To subkey: HKCU\Software\Buddy Search Note: <variable date> is defined as a time in the format €œm/dd/yyyy h:mm:ss AM/PM€ that is determined by the program. Once installed in Internet Explorer, the browser modifier's presence can be seen in the 'Manage Add-ons' window that can be accessed from the Tools menu. The image below displays a 'Manage Add-ons' window with the browser modifier listed as 'Buddy Search'. Explorer Bar BrowserModifier:Win32/BuddySearchBar can install itself as an Explorer Bar in Internet Explorer, and may be present in the following file: %programfiles%\Buddy Search\bdbar.dll When executed, the browser modifier installs itself as an Explorer Bar and makes the following registry modifications: Creates subkey: HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{61E69589-0CF1-43D5-B2FD-5CF4272F164B} Adds value: "(Default)" With data: €œ€ Adds value: €œBarSize€ With data: " hex:fd,00,00,00,00,00,00,00" Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{61E69589-0CF1-43D5-B2FD-5CF4272F164B} Adds value: "(Default)" With data: "Buddy Search" Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{61E69589-0CF1-43D5-B2FD-5CF4272F164B}\Implemented Categories Adds value: "(Default)" With data: = hex(0):00 Creates subkey: HKLM\SOFTWARE\Classes\CLSID\{61E69589-0CF1-43D5-B2FD-5CF4272F164B}\ InprocServer32 Adds value: "(Default)" With data: <location of explorer bar> Note: <location of explorer bar > is defined as the full path of the file that is installed as a explorer bar on the user's machine. Adds value: "ThreadingModel" With data: "Apartment" Once installed in Internet Explorer, the adware's presence can be seen from View > Explorer Bar > Buddy Search, as seen in the image below. Once selected from the Explorer Bar menu, BrowserModifier:Win32/BuddySearchBar adds a panel in the Web browser, as seen in the image below.

Analysis by Michael Johnson

Last update 17 May 2010

 

TOP

Malware :