Content

Adware-SafeSurf

Type
Program
SubType
Adware
Discovery Date
03/14/2005
Minimum DAT
4311 (12/24/2003)
Updated DAT
4825 (08/09/2006)
Minimum Engine
5.1.00
Description Added
04/15/2004
Description Modified
09/30/2005 1:11 PM (PT)

Tab Navigation

Characteristics

McAfee(R) AVERT recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution

This is not a virus or a trojan. It is detected as a "potentially unwanted program." It is a direct-marketing adware application that generates pop-up advertisements. It also functions as a downloader that retrieves and installs additional applications/components (Adware-SAHAgent was installed during testing). Two Browser Helper Objects are installed in Internet Explorer. Search terms are passed to sub domains in popupsearches.com and trafficmp.com, and advertisement data is retrieved as directed by the servers.

This application not display a license agreement when installed. Installation was completely silent upon launching the installer.

Privacy

No privacy policy was displayed during installation. Installation was completely silent.

The software transmits browsing data (search terms and other URL or clickstream data) to 3rd party servers. There is a unique identifier created for the installation which is included in transmissions. Personal data could potentially be compromised by the software or other components it might download and install.

System Changes

General defaults for typical path variables (although they may be different, they usually are not):
%WinDir% = \WINDOWS (Windows 9x/ME/XP), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM32 (Windows 9x/ME/XP), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

"*" - Denotes files that, though potentially installed along with the software, are by themselves innocent and not included in detection.

Files Added

  • %SystemDir%\wirelanb.dll (408 KB)
    MD5: 1C79B21A086F7ABE8F829DFA2ECF6072
  • %SystemDir%\uu73lts9.html (name is random) (1 KB)
  • %SystemDir%\oqytgyfp.dll (name is random) (220 KB)
    MD5: 92219F1A4E1796DFC78F88CB1B1F8C10
  • %SystemDir%\msxml3a.dll* (24 KB)
  • %SystemDir%\lanbrup.exe (32 KB)
    MD5: 9AC0A5E50B8B19398CD0AFDCF96A1428
  • %SystemDir%\lanbruns.exe (44 KB)
    MD5: 50C13FF716BDC2E34BD14FC6943A0691
  • %SystemDir%\bho.dll (188 KB)
    MD5: E60C233D620FF5C736C0C4612E64BFEC
  • %WinDir%\issm0064.dat (name and size may vary)
  • c:\adlog.txt (size varies)
    Note: Files downloaded to temporary folder may vary by installation and/or over time.
  • c:\documents and settings\(username)\local settings\temp\slmnpant.tmp (377 KB)
  • c:\documents and settings\(username)\local settings\temp\s2dc.5 (1 KB)
  • c:\documents and settings\(username)\local settings\temp\nsx21.tmp (181 KB)
  • c:\documents and settings\(username)\local settings\temp\nsu1f.tmp (7 KB)
  • c:\documents and settings\(username)\local settings\temp\nsj23.tmp (103 KB)
  • c:\documents and settings\(username)\local settings\temp\nsi25.tmp (10 KB)
  • c:\documents and settings\(username)\local settings\temp\labpengs.tmp (32 KB)
  • c:\documents and settings\(username)\local settings\temp\extractdll.dll (9 KB)
  • c:\documents and settings\(username)\local settings\temp\dayst.dat (1 KB)
  • c:\documents and settings\(username)\local settings\temp\binsttmp.tmp (1 KB)
  • c:\documents and settings\(username)\local settings\temp\111419.exe (124 KB)
  • c:\documents and settings\(username)\.gtk-bookmarks (1 KB)

Registry

The following registry keys are created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "lanbrup"="C:\WINDOWS\system32\lanbrup.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{71D1708F-973D-4600-AF01-AD86688403AE}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\Browser Helper Objects\{4006DCA3-433D-4FC8-AC36-42DA7797DCB7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanbrd
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Webext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Lanbridge
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Uninstall\LANBridge
  • HKEY_LOCAL_MACHINE\SYSTEM\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List\lanbrup.exe
    "default"="lanbrup.exe"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Use Search Asst"="no"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    "Search Bar"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    "SearchURL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
  • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Popup\Settings
  • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\Popup
  • HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications
  • HKEY_CURRENT_USER\Software\In3rd
  • HKEY_CLASSES_ROOT\TypeLib\{547DDE29-2299-4C8F-B613-DA17A62CF102}
  • HKEY_CLASSES_ROOT\TypeLib\{34A35BBB-8C19-4482-864C-290BD8DD6A5D}
  • HKEY_CLASSES_ROOT\Pool.LANBridge.1
  • HKEY_CLASSES_ROOT\Pool.LANBridge
  • HKEY_CLASSES_ROOT\Interface\{89E9F6CF-6F80-4C5E-B8E8-78E5A6B5D3BF}
  • HKEY_CLASSES_ROOT\Interface\{5679B16C-CD3A-471F-A503-25C528A3AD26}
  • HKEY_CLASSES_ROOT\Interface\{2AB7A3C6-9D09-428C-AA65-07BD49FB7065}
  • HKEY_CLASSES_ROOT\CLSID\{71D1708F-973D-4600-AF01-AD86688403AE}
  • HKEY_CLASSES_ROOT\CLSID\{4681B27C-CD92-4AFF-B5F6-1C53970344B6}
  • HKEY_CLASSES_ROOT\CLSID\{4006DCA3-433D-4FC8-AC36-42DA7797DCB7}
  • HKEY_CLASSES_ROOT\CLSID\{19B7F2D6-1610-11D3-BF30-1AF820524153}
    \Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
  • HKEY_CLASSES_ROOT\CLSID\{19B7F2D6-1610-11D3-BF30-1AF820524153}
    \Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
  • HKEY_CLASSES_ROOT\BHO.Hider
  • HKEY_CLASSES_ROOT\BHO.Adware

Network Impact

Additional overhead in bandwidth due to transmission of browsing data, download of advertising content, and download of additional software components.

Aliases

Aliases

  • Adware-SafeSurf