SecurityHome.eu Adware:Win32/FindLyrics

Home / malware PDF

Adware:Win32/FindLyrics

First posted on 06 June 2013.
Source: Microsoft
Aliases :
Adware:Win32/FindLyrics is also known as Adware.Singalng (Symantec).
Explanation :

Installation

It installs itself as a Chrome extension, and a Firefox plug-in by creating the following files:

Chrome extension:

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\icon128.png

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\icon16.png

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\icon48.png

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\background.html

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\background.js

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\contentscript.js

%APPDATA%\Google\Chrome\User Data\Default\Extensions\jmhhdaimhfblnamlcdijbaakkifakade\1.0_0\manifest.json

Firefox plug-in:

%ProgramFiles%\FindLyrics\FindLyrics.dll

%ProgramFiles%\FindLyrics\FF\chrome.manifest

%ProgramFiles%\FindLyrics\FF\chrome\content\FindLyrics32.png

%ProgramFiles%\FindLyrics\FF\chrome\content\main.js

%ProgramFiles%\FindLyrics\FF\chrome\content\overlay.xul

%ProgramFiles%\FindLyrics\FF\install.rdf

%ProgramFiles%\Chrome.crx

It creates the following registry entries as part of its installation routine:

In subkey: HKCR\CLSID\{44C9CC91-6A4A-4579-B4B5-899ECDC18DC6}
Sets value: "(Default)"
With data: "FindLyrics"

In subkey: HKCR\CLSID\{44C9CC91-6A4A-4579-B4B5-899ECDC18DC6}\InprocServer32
Sets value: "(Default)"
With data: "%ProgramFiles%\FindLyrics\FindLyrics.dll"
Sets value: "ThreadingModel"
With data: "Apartment"

In subkey: HKCR\CLSID\{44C9CC91-6A4A-4579-B4B5-899ECDC18DC6}\TypeLib
Sets value: "(Default)"
With data: "{BA5B874B-C72A-4529-B2CF-D7485602D541}"

In subkey: HKCR\CLSID\{44C9CC91-6A4A-4579-B4B5-899ECDC18DC6}\Version
Sets value: "(Default)"
With data: "1.0"

In subkey: HKCR\Interface\{5C927B89-5D80-4017-889F-93294895BC5F}
Sets value: "(Default)"
With data: "IInjectObject"

In subkey: HKCR\Interface\{5C927B89-5D80-4017-889F-93294895BC5F}\ProxyStubClsid
Sets value: "(Default)"
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCR\Interface\{5C927B89-5D80-4017-889F-93294895BC5F}\ProxyStubClsid32
Sets value: "(Default)"
With data: "{00020424-0000-0000-C000-000000000046}"

In subkey: HKCR\Interface\{5C927B89-5D80-4017-889F-93294895BC5F}\TypeLib
Sets value: "(Default)"
With data: "{BA5B874B-C72A-4529-B2CF-D7485602D541}"

In subkey: HKCR\Interface\{5C927B89-5D80-4017-889F-93294895BC5F}\TypeLib
Sets value: "Version"
With data: "1.0"

In subkey: HKCR\TypeLib\{BA5B874B-C72A-4529-B2CF-D7485602D541}\1.0
Sets value: "(Default)"
With data: "IEInjectLib"

In subkey: HKCR\TypeLib\{BA5B874B-C72A-4529-B2CF-D7485602D541}\1.0\0\win32
Sets value: "(Default)"
With data: "<adware path and file name>"

In subkey: HKCR\TypeLib\{BA5B874B-C72A-4529-B2CF-D7485602D541}\1.0\FLAGS
Sets value: "(Default)"
With data: "0"

In subkey: HKCR\TypeLib\{BA5B874B-C72A-4529-B2CF-D7485602D541}\1.0\HELPDIR
Sets value: "(Default)"
With data: "<Desktop folder>\findlyr\findlyr"

Execution

Once installed, Adware:Win32/FindLyrics displays advertisements in your browser window, and also displays the lyrics to songs if you view a song on "YouTube".

Analysis by Chris Stubbs

Last update 06 June 2013

TOP

Malware :

Last 20