McAfee > Theat Center > Virus Detail Page

Overview

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Aliases

• Aduent

• JunkSurf

• Surferbar

Characteristics

AVERT has received a few enquiries concerning this application.

It is believed that a recent Internet Explorer exploit has been taken advantage of in a spammed HTML formatted email message. The message contains specific ActiveX tags to take advantage of this exploit in order to execute a remote script.

The ActiveX content within the HTML message is detected as Exploit-ODREV with the specified DATs.

The remote script is detected as VBS/Inor . It drops and executes the following binary on the victim machine:

C:\DRG.EXE

This file is detected as Downloader-ED . When it is run, it connects to a remote server and downloads the Adware application.

For details concerning the exploit, and links to the necessary patch, follow the link below:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp

Application Installation

Upon installation many file system and Registry modifications are made.

The following files are installed in the Program Files directory:

 c:\Program Files\win32.dll (508,000 bytes)
 c:\Program Files\winsrv32.exe (6,657 bytes)

Both of these files are detected as Adware-Surfbar with the specified engine/DATs (with application type detections enabled - see below).

System startup is hooked via the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce "win32" = c:\program files\winsrv32.exe

The default startpage is modified via the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Internet
  Explorer\Main "Start Page" = http://www.surferbar.com/

A toolbar is also installed on the local machine, via the following Registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
  Explorer\Toolbar
  "{FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}"

Many folders are created on the local machine, into which various URL shortcuts are dropped. A large proportion of these shortcuts are porn-related.

The following parent folders are created into which sub-folders containing these shortcuts are added:

c:\WINDOWS\Desktop\Adult Entertainment
c:\WINDOWS\Desktop\Casinos & Gambling
c:\WINDOWS\Desktop\Find a date
c:\WINDOWS\Favorites\Adult Entertainment
c:\WINDOWS\Favorites\Casinos & Gambling
c:\WINDOWS\Favorites\Find a date
c:\WINDOWS\Favorites\Search The Net
c:\WINDOWS\Start Menu\Adult Entertainment
c:\WINDOWS\Start Menu\Casinos & Gambling
c:\WINDOWS\Start Menu\Find a date
c:\WINDOWS\Start Menu\Programs\Adult Entertainment
c:\WINDOWS\Start Menu\Programs\Casinos & Gambling
c:\WINDOWS\Start Menu\Programs\Find a date
c:\WINDOWS\Start Menu\Programs\Search The Net
c:\WINDOWS\Start Menu\Venusseek

The following shortcuts are dropped onto the Windows desktop:

Adult Search.lnk (204 bytes)
Erotic Search.lnk (181 bytes)
Web Search.lnk (178 bytes)

Symptoms

N/A - this is not a virus or trojan, but a application.

Method of Infection

N/A - this is not a virus or trojan, but a application.

Removal

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants

N/A

All Information

Overview -

This is a Potentially Unwanted Program (PUP) detection. It is not a virus or trojan. PUPs are any piece of software which a reasonably security-or privacy-minded computer user may want to be informed of.

Aliases

• Aduent

• JunkSurf

• Surferbar

Characteristics

Characteristics -

AVERT has received a few enquiries concerning this application.

It is believed that a recent Internet Explorer exploit has been taken advantage of in a spammed HTML formatted email message. The message contains specific ActiveX tags to take advantage of this exploit in order to execute a remote script.

The ActiveX content within the HTML message is detected as Exploit-ODREV with the specified DATs.

The remote script is detected as VBS/Inor . It drops and executes the following binary on the victim machine:

C:\DRG.EXE

This file is detected as Downloader-ED . When it is run, it connects to a remote server and downloads the Adware application.

For details concerning the exploit, and links to the necessary patch, follow the link below:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-032.asp

Application Installation

Upon installation many file system and Registry modifications are made.

The following files are installed in the Program Files directory:

 c:\Program Files\win32.dll (508,000 bytes)
 c:\Program Files\winsrv32.exe (6,657 bytes)

Both of these files are detected as Adware-Surfbar with the specified engine/DATs (with application type detections enabled - see below).

System startup is hooked via the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Runonce "win32" = c:\program files\winsrv32.exe

The default startpage is modified via the following Registry key:

• HKEY_CURRENT_USER\Software\Microsoft\Internet
  Explorer\Main "Start Page" = http://www.surferbar.com/

A toolbar is also installed on the local machine, via the following Registry key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
  Explorer\Toolbar
  "{FF7FD490-34E7-4FA1-927A-F5799E6AAD7B}"

Many folders are created on the local machine, into which various URL shortcuts are dropped. A large proportion of these shortcuts are porn-related.

The following parent folders are created into which sub-folders containing these shortcuts are added:

c:\WINDOWS\Desktop\Adult Entertainment
c:\WINDOWS\Desktop\Casinos & Gambling
c:\WINDOWS\Desktop\Find a date
c:\WINDOWS\Favorites\Adult Entertainment
c:\WINDOWS\Favorites\Casinos & Gambling
c:\WINDOWS\Favorites\Find a date
c:\WINDOWS\Favorites\Search The Net
c:\WINDOWS\Start Menu\Adult Entertainment
c:\WINDOWS\Start Menu\Casinos & Gambling
c:\WINDOWS\Start Menu\Find a date
c:\WINDOWS\Start Menu\Programs\Adult Entertainment
c:\WINDOWS\Start Menu\Programs\Casinos & Gambling
c:\WINDOWS\Start Menu\Programs\Find a date
c:\WINDOWS\Start Menu\Programs\Search The Net
c:\WINDOWS\Start Menu\Venusseek

The following shortcuts are dropped onto the Windows desktop:

Adult Search.lnk (204 bytes)
Erotic Search.lnk (181 bytes)
Web Search.lnk (178 bytes)

Symptoms

Symptoms -

N/A - this is not a virus or trojan, but a application.

Method of Infection

Method of Infection -

N/A - this is not a virus or trojan, but a application.

Removal -

Removal -

Instructions on Enabling/Disabling Detection and Removal of Potentially Unwanted Programs

Variants

Variants -

N/A