Content
Adware-WinShow
- Type
- Program
- SubType
- Adware
- Discovery Date
- 03/29/2005
- Minimum DAT
- 4299 (10/22/2003)
- Updated DAT
- 5148 (10/24/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 04/15/2004
- Description Modified
- 04/07/2005 9:16 AM (PT)
Tab Navigation
Characteristics
Distribution
No visible indication is given that any software is being installed upon execution of the installation program. The installer downloads winshow.dll, a Browser Helper Object, and installs it with the necessary registry entries. No license agreement is displayed, although one could be displayed by another installer if bundled with another application. At the first launch of Internet Explorer, winshow silently downloads an update to itself, and also installs an additional BHO, winlink.dll. Winlink proceeds to remove the registry entries which engage the winshow BHO. At this point further instances of Internet Explorer crash on launch until the system is rebooted. Following a reboot only the winlink BHO remains installed. After the reboot, the QLowZones-14 Trojan is downloaded and executed on the next launch of IE. Once the installation settled, changes had been made to the homepage and several domains had been added to the "Trusted Sites" security zone. Winlink continues to run silently and watches for keywords (based on the encrypted keywords.dat file). It hooks the HTML rendering engine in IE. When matches are found, it inserts active links that redirect to search engines querying those keywords or phrases (frequently www.totalsearches.com ).
Privacy
The download and execution of QLowZones-14 results in modifications to the Trusted Sites security zones and other changes in security-related registry settings.
System Changes
Installer: (detected as Adware-WinShow.dldr)
Name: Q230903.exe (name may vary)
Size: 13,312 bytes (packed with ASPack 1.08.04)
MD5: 4D3953844437104FC33A6E65527A22DE (packed)
Size: 32,768 bytes (unpacked)
MD5: 2D633945B9B67A337B94E0E9D945E119 (unpacked)
Files Added
c:\Documents and Settings\Administrator\Application Data\winshow\winshow.dll
Size: 43,520 bytes
MD5: 0x9A3DE9C6EEEDE5343801F5AECD7630EA
NOTE: The newer version of winshow.dll that is replaced during the first launch of IE has the following characteristics:
c:\Documents and Settings\Administrator\Application Data\winshow\winshow.dll
Size: 31,744 bytes (packed)
MD5: 0x493A4F9077FDFC9F53DFB0E13756EBA2 (packed)
Size: 95,232 bytes (unpacked)
MD5: 0x2727B1D688E70552BF6718D85BEBD7C7 (unpacked)
c:\Documents and Settings\Administrator\Application Data\winshow\dict.dat
Size:
c:\Documents and Settings\Administrator\Application Data\winshow\winshow.new
Size: 31,744 bytes
MD5: 0x493A4F9077FDFC9F53DFB0E13756EBA2
NOTE: The winshow.new file is simply a newer version of the winshow.dll which is downloaded on the second launch of Internet Explorer following the system reboot.
c:\Documents and Settings\Administrator\Application Data\winlink\keywords.dat
Size:
c:\Documents and Settings\Administrator\Application Data\winlink\winlink.dll
Size: 36,864 bytes (packed)
MD5: 0x8F7CB73CE0A2FE9390E1D655D089BE0B (packed)
Size: 103,424 bytes (unpacked)
MD5: 0xB32648A43E3F0A134C37A35D2AEAF940 (unpacked)
Registry Changes
(most significant/high-level)
NOTE: These include the net changes after the installation process has completely settled. Initially there are registry changes made by the winshow.dll file, but those are subsequently removed by winlink.dll as previously described.
Keys Added:
HKEY_CURRENT_USER\Software\winlink
HKEY_CLASSES_ROOT\CLSID\{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}
HKEY_CLASSES_ROOT\winlink.ViewSource
HKEY_CLASSES_ROOT\winlink.ViewSource.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}
Values Added:
HKEY_CURRENT_USER\Software\winlink\winlink "DictVersion"
Data: 05, 00, 00, 00
HKEY_CURRENT_USER\Software\winlink\winlink "LastUpdate"
Data: 3B, 32, 00, 00
HKEY_CURRENT_USER\Software\winlink\winlink "ModuleVersion"
Data: 05, 00, 00, 00
HKEY_CURRENT_USER\Software\winlink\winlink "UpdateHour"
Data: 02, 00, 00, 00
HKEY_CLASSES_ROOT\CLSID\{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}\InprocServer32 "(Default)"
Data: C:\Documents and Settings\Administrator\Application Data\winlink\winlink.dll
HKEY_CLASSES_ROOT\winlink.ViewSource\CLSID "(Default)"
Data: {6CC1C91A-AE8B-4373-A5B4-28BA1851E39A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Browser Helper Objects\{6CC1C91A-AE8B-4373-A5B4-28BA1851E39A} "(Default)"
Data: winlink module
Note: The following changes appear to be made by the QLowZones-14 Trojan, and are not directly related to the WinShow DLLs, however they have significant security implications.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "MinLevel"
Data: Code Download
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "Safety Warning Level"
Data: SucceedSilent
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "Security_RunActiveXControls"
Data: 00, 00, 00, 01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "Security_RunScripts"
Data: 00, 00, 00, 01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "Trust Warning Level"
Data: No Security
Network Impact
Additional overhead in bandwidth due to downloads of additional components and/or updates.
Aliases
Aliases
-
N/A