Home / malwarePDF  

Adware:Win32/SideOn


First posted on 09 November 2012.
Source: Microsoft

Aliases :

Adware:Win32/SideOn is also known as W32/Nbiz.UI (Norman), Adware/WinPro.B (Avira), Gen:Variant.Adware.Sidetab.1 (BitDefender).

Explanation :



Adware:Win32/Sideon is a component of a program called WinPro. This program may redirect your browser to certain websites and display ads for certain products.



Installation

Adware:Win32/Sideon creates the folder "%Programfiles%\WinPro", and then creates the following files within the folder:

  • %Programfiles%\WinPro\WinPro.exe - detected as Adware:Win32/SideOn
  • %Programfiles%\WinPro\WinPro.dll - detected as Adware:Win32/SideOn
  • %Programfiles%\WinPro\Uninstall.exe
  • %Programfiles%\WinPro\ex.dat
  • %Programfiles%\WinPro\except.dat


It also creates the following registry subkeys and entries so that it automatically runs when windows starts, and to install itself as a Browser Helper Object (BHO):

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "WinPro" With data: "C:\\Program Files\\WinPro\\WinPro.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WTool
Sets value: "DisplayName"
With data: "WTool"
Sets value: "UninstallString"
With data: "C:\\Program Files\\WTool\\Uninstall.exe"

In subkey: HKLM\SOFTWARE\Classes\Interface\{25D89E97-EEC7-4EE8-B6A5-42132E215251}
Sets value: "Default"
With data: "ISideBand"

In subkey: HKLM\SOFTWARE\Classes\Interface\{83F09346-4F99-488B-8CAD-BD7E7A68E5DF}
Sets value: "Default"
With data: "IBandHelper"

In subkey: HKLM\SOFTWARE\Classes\WinPro.BandHelper.1
Sets value: "Default"
With data: "BandHelper Class"

In subkey: HKLM\SOFTWARE\Classes\WinPro.BandHelper
Sets value: "Default"
With data: "BandHelper Class"

In subkey: HKLM\SOFTWARE\Classes\WinPro.SideBand.1
Sets value: "Default"
With data: "SideBand Class"

In subkey: HKLM\SOFTWARE\Classes\WinPro.SideBand
Sets value: "Default"
With data: "SideBand Class"

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPro
Sets value: "DisplayName"
With data: "WinPro"
Sets value: "UninstallString"
With data: "C:\\Program Files\\WTool\\Uninstall.exe"

Execution

Monitors your browsing habits

Adware:Win32/SideOn monitors your browsing habits if you go to a URL containing any of the following strings:

  • daum.net
  • dreamwiz.com
  • google.co.kr
  • google.co.krwebhp?hl=ko
  • joinsmsn.com
  • kbstar.com
  • kr.yahoo.com
  • nate.com
  • naver.com
  • nonghyup.com
  • paran.com
  • wooribank.com
  • yahoo.com
  • zum.com


If you are visiting a URL that contains any of these strings, the string is sent to the server "winpro.co.kr". Based on the string, the server may return certain ads to display.

Additional information

Adware:Win32/WinPro may display the following dialog box:





Analysis by Alden Pornasdoro

Last update 09 November 2012

 

TOP

Malware :