Home / malwarePDF  

Program:Win32/Seeearch


First posted on 13 September 2011.
Source: SecurityHome

Aliases :

Program:Win32/Seeearch is also known as Adware.VlcPlayer (Dr.Web), IsolationAware (Sophos).

Explanation :

Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".
Top

Program:Win32/Seeearch is a web browser toolbar that may be bundled with a fake setup application named "Vlc Media Player".

Installation
When run, the fake installer displays the following graphic: It also displays an End User License Agreement: The installer displays an error message such as the following: It then drops the following files: <installation folder>\Seeearch\seeearch.crc
<installation folder>\Seeearch\seeearch.dll
<installation folder>\Seeearch\start.html
<installation folder>\Seeearch\tbhelper.dll
<installation folder>\Seeearch\uninstall.exe
<installation folder>\Seeearch\update.exe
<installation folder>\Seeearch\21_pro.png
<installation folder>\Seeearch\58tuto02.jpg
<installation folder>\Seeearch\about.html
<installation folder>\Seeearch\basis.xml
<installation folder>\Seeearch\bookmark_256.png
<installation folder>\Seeearch\c1.png
<installation folder>\Seeearch\c2.png
<installation folder>\Seeearch\demo_logo.bmp
<installation folder>\Seeearch\demo_logo.bmp_16.bmp
<installation folder>\Seeearch\dice.png
<installation folder>\Seeearch\error.html
<installation folder>\Seeearch\facebook.png
<installation folder>\Seeearch\facebooklay.png
<installation folder>\Seeearch\favicon.ico
<installation folder>\Seeearch\football.png
<installation folder>\Seeearch\google_youtube.png
<installation folder>\Seeearch\icons.bmp
<installation folder>\Seeearch\icon_news.jpg
<installation folder>\Seeearch\kpat.png
<installation folder>\Seeearch\kpat2.png
<installation folder>\Seeearch\label_new_blue.png
<installation folder>\Seeearch\label_new_red.png
<installation folder>\Seeearch\littlelogo.png
<installation folder>\Seeearch\log.bmp
<installation folder>\Seeearch\log.bmp_30.bmp
<installation folder>\Seeearch\logotool.png
<installation folder>\Seeearch\logotoolbar.png
<installation folder>\Seeearch\loupe.png
<installation folder>\Seeearch\megaupload.png
<installation folder>\Seeearch\meteo.png
<installation folder>\Seeearch\money.png
<installation folder>\Seeearch\movies.png
<installation folder>\Seeearch\p1.png
<installation folder>\Seeearch\p2.png
<installation folder>\Seeearch\play.png
<installation folder>\Seeearch\refre.png
<installation folder>\Seeearch\refresh.png
<installation folder>\Seeearch\search_button_format_bing.png
<installation folder>\Seeearch\sims2_1.png
<installation folder>\Seeearch\social_youtube.png
<installation folder>\Seeearch\STREAM1.png
<installation folder>\Seeearch\STREAM2.png
<installation folder>\Seeearch\tweet.png
<installation folder>\Seeearch\twitter.png
<installation folder>\Seeearch\v1.png
<installation folder>\Seeearch\v2.png
<installation folder>\Seeearch\version.txt
<installation folder>\Seeearch\video.png
<installation folder>\Seeearch\weather.png
<installation folder>\Seeearch\youtube.png Note: we observed that in the wild samples of Win32/Seeearch use the following folder locations as the "<installation folder>":

  • D:\
  • %ProgramFiles%
The registry is modified to run Win32/Seeearch as a Browser Helper Object.

In subkey: HKLM\Software\Microsoft\Internet Explorer\Toolbar
Sets value: "{1FDA7DDD-25CE-4034-9D5B-38A120A14218}"
To data: ""

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1
Sets value: "(default)"
To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar.1\CLSID
Sets value: "(default)"
To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar
Sets value: "(default)"
To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CLSID
Sets value: "(default)"
To data: "{1fda7ddd-25ce-4034-9d5b-38a120a14218}"

In subkey: HKLM\SOFTWARE\Classes\TBSB06155.IEToolbar\CurVer
Sets value: "(default)"
To data: "tbsb06155.ietoolbar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}
Sets value: "(default)"
To data: "ie toolbar"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\ProgID
Sets value: "(default)"
To data: "tbsb06155.ietoolbar.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\VersionIndependentProgID
Sets value: "(default)"
To data: "tbsb06155.ietoolbar"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\InprocServer32
Sets value: "(default)"
To data: "<installation folder>\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{1FDA7DDD-25CE-4034-9D5B-38A120A14218}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155.1\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CLSID
Sets value: "(default)"
To data: "{2da14d1d-ae74-4a74-a0fe-c79504755db8}"

In subkey: HKLM\SOFTWARE\Classes\Toolbar3.TBSB06155\CurVer
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155 class"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\ProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155.1"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\VersionIndependentProgID
Sets value: "(default)"
To data: "toolbar3.tbsb06155"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\InprocServer32
Sets value: "(default)"
To data: "<installation folder>\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DA14D1D-AE74-4A74-A0FE-C79504755DB8}
Sets value: "(default)"
To data: "tbsb06155"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0
Sets value: "(default)"
To data: "toolbar3 1.0 type library"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\FLAGS
Sets value: "(default)"
To data: "0"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\0\win32
Sets value: "(default)"
To data: "<installation folder>\seeearch\seeearch.dll"

In subkey: HKLM\SOFTWARE\Classes\TypeLib\{80D04E8E-7448-4D36-9161-5F89BF18DFDD}\1.0\HELPDIR
Sets value: "(default)"
To data: "<installation folder>\seeearch\"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}
Sets value: "(default)"
To data: "itoolbarobj"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{1BBB9F9A-8C7B-465B-827B-15C1B865E95C}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}
Sets value: "(default)"
To data: "iposbho"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\ProxyStubClsid32
Sets value: "(default)"
To data: "{00020424-0000-0000-c000-000000000046}"

In subkey: HKLM\SOFTWARE\Classes\Interface\{7C5C05AE-CBB0-4AC3-BAA8-BADB08254386}\TypeLib
Sets value: "(default)"
To data: "{80d04e8e-7448-4d36-9161-5f89bf18dfdd}"

When the web browser Internet Explorer is launched, Win32/Seeearch is visible as a toolbar: Program:Win32/Seeearch may display 'out-of-context' popup advertisements.

Analysis by Jonathan San Jose

Last update 13 September 2011

 

TOP

Malware :