Home / malwarePDF  

Adware:Win32/Addendum


First posted on 13 September 2011.
Source: SecurityHome

Aliases :

Adware:Win32/Addendum is also known as Addendum (other).

Explanation :

Adware:Win32/Addendum is adware that is installed as a web browser helper object (BHO) that may display unwanted pop-up advertisements and also redirect search queries when accessing certain websites. The adware may also download executable files to install as updates.


Top

Adware:Win32/Addendum is adware that is installed as a web browser helper object (BHO) that may display unwanted pop-up advertisements and also redirect search queries when accessing certain websites. The adware may also download executable files to install as updates.



Installation

Adware:Win32/Addendum may be installed by an installer application. When run, the installer drops the following files:

  • %Program Files%\Addendum\admmgr.exe
  • %Program Files%\Addendum\eamgr.exe
  • %Program Files%\Addendum\iesb_nm.dll
  • %Program Files%\Addendum\iesm_nm.dll
  • %Program Files%\Addendum\uninstall.exe


During installation, the following registry data is created to run Win32/Addendum as a BHO:

In subkey: HKCR\IESideBand.Band
Sets value: "@"
To data: "IESideBand.Band"

In subkey: HKCR\IESideBand.Band\Clsid
Sets value: "@"
To data: "{CD400D4A-49F7-4BE0-9C80-E1EA12BBF7A3}"

In subkey: HKCR\IESideMon.Mon
Sets value: "@"
To data: "IESideMon.Mon"

In subkey: HKCR\IESideMon.Mon\Clsid
Sets value: "@"
To data: "{E2E94F8D-4323-4943-A269-2E9EF6280434}"

In subkey: HKCR\CLSID\{CD400D4A-49F7-4BE0-9C80-E1EA12BBF7A3}
Sets value: "@"
To data: "Addendum-nm"

In subkey: HKCR\CLSID\{CD400D4A-49F7-4BE0-9C80-E1EA12BBF7A3}\InprocServer32
Sets value: "@"
To data: "%Program Files%\Addendum\iesb_nm.dll"

In subkey: HKCR\CLSID\{E2E94F8D-4323-4943-A269-2E9EF6280434}
Sets value: "@"
To data: "IESideMon.Mon"

In subkey: HKCR\CLSID\{E2E94F8D-4323-4943-A269-2E9EF6280434}\InprocServer32
Sets value: "@"
To data: "%Program Files%\Addendum\iesm_nm.dll"

In subkey: HKLM\SOFTWARE\Classes\IESideBand.Band
Sets value: "@"
To data: "IESideBand.Band"

In subkey: HKLM\SOFTWARE\Classes\IESideBand.Band\Clsid
Sets value: "@"
To data: "{CD400D4A-49F7-4BE0-9C80-E1EA12BBF7A3}"

In subkey: HKLM\SOFTWARE\Classes\IESideMon.Mon
Sets value: "@"
To data: "IESideMon.Mon"

In subkey: HKLM\SOFTWARE\Classes\IESideMon.Mon\Clsid
Sets value: "@"
To data: "{E2E94F8D-4323-4943-A269-2E9EF6280434}"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CD400D4A-49F7-4BE0-9C80-E1EA12BBF7A3}
Sets value: "@"
To data: "Addendum-nm"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{CD400D4A-49F7-4BE0-9C80-E1EA12BBF7A3}\InprocServer32
Sets value: "@"
To data: "%Program Files%\Addendum\iesb_nm.dll"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{E2E94F8D-4323-4943-A269-2E9EF6280434}
Sets value: "@"
To data: "IESideMon.Mon"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{E2E94F8D-4323-4943-A269-2E9EF6280434}\InprocServer32
Sets value: "@"
To data: "%Program Files%\iesm_nm.dll"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Creates value: "{E2E94F8D-4323-4943-A269-2E9EF6280434}"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2E94F8D-4323-4943-A269-2E9EF6280434}
Sets value: "NoExplorer"
To data: dword:00000001

In subkey: HKLM\SOFTWARE\Addendum
Sets value: "prg_id"
To data: "<string value>"

Sets value: "prg_ver"
To data: "<string value>"

Sets value: "prg_bc"
To data: "<string value>"

Sets value: "prg_bce"
To data: "<string value>"

Sets value: "prg_bcp"
To data: "<string value>"

Sets value: "prg_bcpe"
To data: "<string value>"

Sets value: "prg_first"
To data: "<string value>"

Sets value: "em_flag"
To data: "<string value>"

When Internet Explorer (IE) is launched, Adware:Win32/Addendum will run which could result in displaying unwanted pop-up advertistments. Addendum also monitors the web browsers IE, Mozilla Firefox and Google Chrome to check if the following URLs are accessed:



http://bing.search.daum.net/search
http://dns.paran.com/search/index.php
http://dreamx.dns.paran.com/search/index.php
http://finding.about.co.kr/Search/Search.aspx
http://kr.search.yahoo.com/search
http://kr.search.yahoo.com/search/web
http://mall.shinsegae.com/search/searchContents.do
http://search.11st.co.kr/SearchPrdAction.tmall
http://search.auction.co.kr/search/search.aspx
http://search.d.paran.com/search.php
http://search.danawa.com/dsearch.php
http://search.daum.net/search
http://search.freechal.com/search_total.asp
http://search.gmarket.co.kr/search.aspx
http://search.interpark.com/dsearch/total.jsp
http://search.korea.com/search.jsp
http://search.nate.com/search/all.html
http://search.naver.com/search.naver
http://search.paran.com/search/index.php
http://shopping.naver.com/search/all_search.nhn
http://www.dnshop.com/front/search/DnshopSearchResult
http://www.enuri.com/view/Listmp3.jsp
http://www.google.co.kr/
http://www.gsshop.com/search/main.gs
http://www.hmall.com/front/scSearchL.do
http://www.lotte.com/search/searchMain.lotte

Search query results from the above requested URLs are redirected to the following by Adware:Win32/Addendum:

sidesearch.addendum.co.kr/?cddtc=nowutil_sidebar&keyword=<search keyword>

The search query is also submitted to the server "app2.tsmon.co.kr" using the following URI:

/app/qryinfo.asp?mid=<value>&ver=<value>&opt=cx&cddtc=nowutil_sidebar&q=<search keyword>=&stype=1

Win32/Addendum connects with the following additional websites to send data or to download Win32/Addendum updates:

  • app.joyalrim.co.kr
  • app2.tsmon.co.kr
  • joyalrim.co.kr
  • app2.tsmon.co.kr
  • app.searchmon.co.kr




Analysis by Ric Robielos

Last update 13 September 2011

 

TOP