Home / malwarePDF  

BrowserModifier:Win32/BaiduSobar


First posted on 04 February 2009.
Source: SecurityHome

Aliases :

BrowserModifier:Win32/BaiduSobar is also known as Also Known As:Adware-BDSearch (McAfee), W32/BaiduBar.A (Norman), ADW_BAIDUBAR (Trend Micro).

Explanation :

BrowserModifier:Win32/Baidu.Sobar is a Web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page. BrowserModifier:Win32/Baidu.Sobar may also prevent removal by the user by protecting its installed files and registry keys.

Symptoms
The following symptoms may be indicative of a BrowserModifier:Win32/Baidu.Sobar installation:

  • Presence of any of the following registry keys:
    HKEY_CLASSES_ROOTBaiduBar.Baidu.1
    HKEY_CLASSES_ROOTBaiduBar.Baidu
    HKEY_CLASSES_ROOTBaiduBar.Tool.1
    HKEY_CLASSES_ROOTBaiduBar.Tool
    HKEY_CLASSES_ROOTBaiduBarEx.BandIE.1
    HKEY_CLASSES_ROOTBaiduBarEx.BandIE
    HKEY_CLASSES_ROOTBaiduBarEx.DropTarget.1
    HKEY_CLASSES_ROOTBaiduBarEx.DropTarget
    HKEY_CLASSES_ROOTCLSID{77FEF28E-EB96-44FF-B511-3185DEA48697}
    HKEY_CLASSES_ROOTCLSID{7C76C055-ED6E-4535-A70F-CD476E727F67}
    HKEY_CLASSES_ROOTCLSID{A7F05EE4-0426-454F-8013-C41E3596E9E9}
    HKEY_CLASSES_ROOTCLSID{B580CF65-E151-49C3-B73F-70B13FCA8E86}
    HKEY_CLASSES_ROOTCLSID{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}
    HKEY_CLASSES_ROOTInterface{464C8A26-31E9-411C-9583-5B858E631DCC}
    HKEY_CLASSES_ROOTInterface{89FDCC4B-8D91-49B0-81A6-18BCFF582735}
    HKEY_CLASSES_ROOTInterface{96249369-D3DC-4AE6-8A3B-E7109D46E98D}
    HKEY_CLASSES_ROOTInterface{A294F8EB-86D9-4C4A-8B3E-909253761C64}
    HKEY_CLASSES_ROOTTypeLib{6AFC2761-1253-427C-9A56-385B4609BE1D}1.0
    HKEY_CURRENT_USERSoftwareBaiduBaiduBar
    HKEY_LOCAL_MACHINESOFTWAREBaiduBaiduBar
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{B580CF65-E151-49C3-B73F-70B13FCA8E86}
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{77FEF28E-EB96-44FF-B511-3185DEA48697}
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallsobar
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar{77FEF28E-EB96-44FF-B511-3185DEA48697}
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerToolbar{B580CF65-E151-49C3-B73F-70B13FCA8E86}
    HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerToolbarWebBrowser{89FDCC4B-8D91-49B0-81A6-18BCFF582735}
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBdGuard
    HKEY_LOCAL_MACHINESoftwareClassesBaiduBar.Tool
    HKEY_LOCAL_MACHINESoftwareClassesBaiduBar.Baidu.1
    HKEY_LOCAL_MACHINESoftwareClassesBaiduBar.Baidu
    HKEY_LOCAL_MACHINESoftwareClassesBaiduBarEx.BandIE
    HKEY_LOCAL_MACHINESoftwareClassesBaiduBarEx.DropTarget.1
    HKEY_LOCAL_MACHINESoftwareClassesBaiduBarEx.DropTarget
    HKEY_LOCAL_MACHINESoftwareClassesclsid{77FEF28E-EB96-44FF-B511-3185DEA48697}
    HKEY_LOCAL_MACHINESoftwareClassesclsid{A7F05EE4-0426-454F-8013-C41E3596E9E9}
    HKEY_LOCAL_MACHINESoftwareClassesclsid{B580CF65-E151-49C3-B73F-70B13FCA8E86}
    HKEY_LOCAL_MACHINESoftwareClassesclsid{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}
    HKEY_LOCAL_MACHINESoftwareClassesMimeFilter.AdFilter.1
    HKEY_LOCAL_MACHINESoftwareClassesMimeFilter.AdFilter
    HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceBaiduInstall
  • Presence of any of the following files:
    %ProgramFiles%aiduaraidubar.dat
    %ProgramFiles%aiduarBaiduBar.dll
    %ProgramFiles%aiduarBDBar_tmpaidubar.dat
    %ProgramFiles%aiduarBDBar_tmpimgimglist.bmp
    %ProgramFiles%aiduarBDBar_tmpimglogo.bmp
    %ProgramFiles%aiduarimgimglist.bmp
    %ProgramFiles%aiduarimglogo.bmp
    %ProgramFiles%aiduarBDBar_tmpaidubar.dat
    %ProgramFiles%aiduarBDBar_tmpBaiduBar.dll
    %ProgramFiles%aiduarBDBar_tmpBaiduBar.dll
    %ProgramFiles%aiduarBDBar_tmpimgimglist.bmp


    • BrowserModifier:Win32/Baidu.Sobar is a Web browser toolbar that delivers pop-up and contextual advertisements, blocks certain other advertisements, and changes the Internet Explorer search page. BrowserModifier:Win32/Baidu.Sobar may also prevent removal by the user by protecting its installed files and registry keys. When BrowserModifier:Win32/Baidu.Sobar is run, it performs the following actions:
  • Creates a folder in named 'baidu' in the %ProgramFiles% folder
  • Creates additional subfolders and drops files within those folders:
    %ProgramFiles%aiduaraidubar.dat
    %ProgramFiles%aiduarBaiduBar.dll
    %ProgramFiles%aiduarBDBar_tmpaidubar.dat
    %ProgramFiles%aiduarBDBar_tmpimgimglist.bmp
    %ProgramFiles%aiduarBDBar_tmpimglogo.bmp
    %ProgramFiles%aiduarimgimglist.bmp
    %ProgramFiles%aiduarimglogo.bmp
    %ProgramFiles%aiduarBDBar_tmpaidubar.dat
    %ProgramFiles%aiduarBDBar_tmpBaiduBar.dll
    %ProgramFiles%aiduarBDBar_tmpBaiduBar.dll
    %ProgramFiles%aiduarBDBar_tmpimgimglist.bmp
  • Creates .URL files within the %ALLUSERSPROFILE%Start MenuPrograms folder
  • Modifies the registry to run BrowserModifier:Win32/Baidu.Sobar as a browser helper object (BHO):
    Adds values:
    {77FEF28E-EB96-44FF-B511-3185DEA48697}InprocServer32(Default)
    {7C76C055-ED6E-4535-A70F-CD476E727F67}InprocServer32(Default)
    {A7F05EE4-0426-454F-8013-C41E3596E9E9}InprocServer32(Default)
    {B580CF65-E151-49C3-B73F-70B13FCA8E86}InprocServer32(Default)
    {FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}InprocServer32(Default)
    With data: %ProgramFiles%aiduarBaiduBar.dll
    To subkey: HKEY_CLASSES_ROOTCLSID
    Adds value: {77FEF28E-EB96-44FF-B511-3185DEA48697}id
    With data: bdbar
    To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
    Adds value: {B580CF65-E151-49C3-B73F-70B13FCA8E86}
    With data: 0
    To subkey: HKEY_LOCAL_MACHINESoftwareMicrosoftInternet ExplorerToolbar
  • Modifies the registry with settings related to the functionality of BrowserModifier:Win32/Baidu.Sobar:
    Adds values:
    version
    RunState
    With data: 0x0
    Adds values:
    SearchBoxMode
    ShowState
    DisplayMode
    DisplayLineMode
    With data: 0x1
    To subkey: HKEY_CURRENT_USERSoftwareBaiduBaiduBar
    Adds values:
    AllVoice_State
    AllFlash_State
    AllPic_State
    With data: 0x0
    To subkey: HKEY_CURRENT_USERSoftwareBaiduBaiduBarNoAD
  • Modifies the registry instructing BrowserModifier:Win32/Baidu.Sobar to allow advertisements from specific Web sites that may include any of the following strings in the source URL:
    *.hao123.com*
    *.baidu.com*
  • Modifies the registry instructing BrowserModifier:Win32/Baidu.Sobar to disallow advertisements from specific Web sites that may include any of the following strings in the source URL:
    */ad.*
    */imgad/*
    http://ad[0-9].*
    http://ads.
    *banner.*
    */advpic*
    *doubleclick.*
    */ad/*
    */banner_img/*
    */adbanners*
    *cnsmin.3721.com/*
    */adv/*
    */images_ad/*
    */ads/*
    */advlink/*
    */banner*
    http://ad.*
    *banners/*
    */adImages/*
    *.swf[a-z]*
    *images.sohu.com/cs/button/*
  • Modifies the registry to alter search settings used by Internet Explorer:
    Adds values:
    CustomizeSearch_sb
    SearchAssistant_sb
    With data: http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    In subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSearch
    Adds values:
    CustomizeSearch
    SearchAssistant
    With data: http://bar.baidu.com/sobar/defaultsearch.html
    To subkey: HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerSearch
  • Downloads a kernel mode driver that protects files and registry keys from being removed

    • Last update 04 February 2009

     

    TOP

    Malware :